[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Client Lan Addressing

  • Subject: Re: [Openvpn-users] Client Lan Addressing
  • From: Colin Ryan <colinr@xxxxxxxx>
  • Date: Tue, 16 Oct 2007 14:19:02 -0400

Not 100% sure to be honest.

I know that bridging is nice and transparent but has it's own set of issues:

a) Slightly More difficult to secure and manage from a firewalling 
perspective as it's operating at the Ethernet Level.

b) It does not - to my knowledge - get you away from issues of IP 
overlap, sure you can specify the range of bridged IP's that get handed 
out to be outside "typical norms" but that's not 100%

c) Some other potential issues such as send/receipt of DHCP packets etc.

Technically I believe the OVPN guys recommend tunnel mode if you can.

As for why Cisco client has no such problems I can only guess that

a) It's doing bridging
b) The VPN Server is your PIX which is likely also your firewall and 
default router so there is no default route that the server side needs 
to be aware of regarding access to the server side networks, because it 
is the router itself.

I use the host routing a lot, because if one really looks at the 
requirements it generally isn't every system in the LAN that needs to be 
gained access to.

Another back of the napkin solution might be some sort of VLAN so that 
you can virtually renumber the remote network...

I'd be curious myself what someone else might have to say on this topic.

JJB wrote:
> Colin Ryan wrote:
>> OpenVPN will put the "priority" of the routes for the remote network 
>> higher than the local. However this will still cause issues in two 
>> cases.
>> a) The remote IP address is exactly the IP address of the local 
>> client (no solution).
>> b) The remote networks default gateway is the same as the local.
>> The only solution I've found for b) is to a) push down host routes 
>> only, i.e. if you only have a few remote machines you want to access 
>> push the host route down instead of network route i.e. instead of 
>> pushing "" push " 
>>" or change your default route remotely to something 
>> no likely encountered, i.e or something.
>> C
>> JJB wrote:
>>> Hello,
>>> If a LAN has the same address range (192.168.1.x) as the LAN that an 
>>> OpenVPN client is trying to connect *from*, should that affect the 
>>> ability to connect? If so, how does one set up OpenVPN to handle the 
>>> variety of situations that a Laptop will encounter - there is a high 
>>> likelyhood that there are many internet cafe's for instance that 
>>> have the same ip address range.
>>> Thanks,
>>>  - Joel
>>> ------------------------------------------------------------------------- 
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>> _______________________________________________
>>> Openvpn-users mailing list
>>> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> Thanks Colin,
> Both of those scenarios are what we are dealing with: our default 
> gateway is That machine is the openvpn box and also the 
> DHCP server for our LAN.
> Changing our LAN addressing would mean visiting a large number of 
> fixed IP workstations, our servers IP addressing and changing any 
> script with an (unfortunately) hard coded address.
> Is there another mode to run Openvpn where this might not be an issue? 
> I think it has bridge mode and router mode.
> For some reason, the Cisco vpn client we have been using with our PIX, 
> which is what we are trying to migrate away from, does not have a 
> problem in this area. Any idea why that would work when OpenVPN doesn't?
> - Joel

Openvpn-users mailing list