[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Using OpenVPN to assign public IPs


  • Subject: Re: [Openvpn-users] Using OpenVPN to assign public IPs
  • From: Cirroc <cirroc@xxxxxxxxx>
  • Date: Wed, 07 Nov 2007 10:35:04 -0500

The application pulls a list of IPs automatically from a central host 
that runs on a public ip address. Since this is a legacy application, I 
can't easily modify how this works.

Those venet0:0 are the ethernet interfaces which the server provides; I 
suspect they are virtualized ethernet connections, since this is a 
Virtual machine. There is one of those per public IP address of the machine.

I'm comfortable with the scaling of running this on a virtual machine; 
the disk IO load should be low, even if net IO gets up there. It allows 
me to move it to a larger/smaller box as needed.


David Balazic wrote:
> 1. ) How do you tell the application to what address it should connect ?
> Example: A wants to connect to B. How does it go ? Manually enter the 
> address of B ?
>  
> 2.) what exactly is venetX ?
>  
>  
> Regards,
> David
>
> *From:* openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Cirroc
> *Sent:* Wed 07-Nov-07 15:26
> *To:* openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> *Subject:* [Openvpn-users] Using OpenVPN to assign public IPs
>
> Good Afternoon,
>
> I've been running into the wall with an OpenVPN installation, and was
> hoping someone might have experience or ideas on how to figure out the
> best way to proceed.
> I've been hitting my head against the wall on this for a while, but
> perhaps someone more experienced with OpenVPN can make this a bit easier.
>
> We're trying to support a legacy application, originally written in the
> mid 1990s. The Application is designed to talk directly peer to peer- It
> connects to the other machines directly.
> We're working on replacing the legacy system,  but until we do, it's the
> world we're stuck with, and we're trying to make it work at all.
>
> Essentially, we need any arbitrary machine to be able to have a public
> IP on the real internet, so both users WITH the vpn or WITHOUT the VPN
> can see them.
>
> Our first attempt to fix this involved  using OpenVPN to put them all on
> one virtual LAN. Each person who installed our test OpenVPN client was
> given a 10.8.0.X address, and could connect to all the other machines.
> This functioned well, and we were excited, but we'd like to go one step
> further.
> The problem is that currently, people who don't have the VPN client
> installed can't connect to those who do.. We'd like to set up OpenVPN to
> hand out publicly routable IP addresses, such that the outside world can
> then contact each user running the VPN client.
>
> We've rented a virtual server for testing, that has a series of IP
> addresses in the form of venet0, 1, etc, as shown below.
>
> venet0:0  Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>           inet addr:XX.XX.XX.XXX1  P-t-P:XX.XX.XX.XXXX 
> Bcast:XX.XX.XX.XXXX  Mask:255.255.255.255
>
> venet0:1  Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>       inet addr:XX.XX.XX.XXX2  P-t-P:XX.XX.XX.XXXX  Bcast:XX.XX.XX.XXXX 
> Mask:255.255.255.255
>
> venet0:2  Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>       inet addr:XX.XX.XX.XXX3  P-t-P:XX.XX.XX.XXXX  Bcast:XX.XX.XX.XXXX 
> Mask:255.255.255.255
>
> venet0:3  Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>       inet addr:XX.XX.XX.XXX4  P-t-P:XX.XX.XX.XXXX  Bcast:XX.XX.XX.XXXX 
> Mask:255.255.255.255
>    We'd love to have someone work with us to help set this up.
>
> An example of how this might be used:
>
> user A isn't behind a firewall.
> user B is behind a Linksys NAT device, with the ports forwarded
> user C is behind a Linksys NAT device, without the ports forwarded.
> user D is behind a different Linksys NAT device, without the ports
> forwarded.
>
> Currently, users A and B can connect to one another all they want. The
> program works, just like it did in the mid 90s. No firewalls get in the
> way.
> If one of them tries to connect to user C, their connection is blocked
> when the program tries to do the P2P connection to them.
> If B and C try to connect, it doesn't work at all.
>
> Instead, I've currently set up a test VPN, so that they get a 10.8.0.X
> address.. User C and D install this VPN and can connect to each other,
> since they are behind the LAN, but user B and A can't connect to either
> of them, since their IP isn't public.
>
> If we gave user C and D a public IP when they install the VPN, they can
> connect to A or B easily, but still talk with each other (C and D).
>
> Does that make sense?
>
>
> We're working on cleaning up this mess by re-writing and refactoring,
> but until it's set up, we need a way to make it work. There have been
> guides to setting up the port forwarding for years, but that's too
> complex for most of the users.
> With a VPN package, I can have them all share a key, so it's just a
> point and click install. I'm not worried about the security of it, since
> all you can do through the VPN is use the ports which we're leaving open
> for the program.
> Essentially, since all the traffic passes through the server, I can use
> iptables to restict the traffic to only the few known-good ports that
> the application needs.
>
> I'd love any help or thoughts in setting this up.. It feels so close,
> yet so frustratingly far away.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users