[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN 192.168.30.1 client to 192.168.10.1 server, bridge LANs


  • Subject: Re: [Openvpn-users] OpenVPN 192.168.30.1 client to 192.168.10.1 server, bridge LANs
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Wed, 16 Jan 2008 00:56:38 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID029maPg5U0053X28

Jeff Kowalczyk wrote:
I'm trying to establish a bridged connection between two LANs with two OpenWRTs
(WRT65GL, kamikaze release) Running OpenVPN 2.0.9.
  

You don't want bridging.  In a bridged setup both your LAN networks would need to be the same subnet and would thus share broadcast services such as DHCP between them (unless otherwise firewalled.)  From your unique LAN subnets I'm assuming your goal is to exchange IP data between the clients of both LAN's, in which case you shouldn't use bridging.

Try this as your modified config for the LAN1 router:

/etc/openvpn/server.conf
dev tun0
local 5.6.7.162
remote 5.6.7.179
port 1194
ifconfig 10.8.0.1 10.8.0.2
route 192.168.30.0 255.255.255.0
secret /etc/openvpn/openvpn.key
daemon

And this for LAN2:

/etc/openvpn/server.conf
dev tun0
remote 5.6.7.162
port 1194
ifconfig 10.8.0.2 10.8.0.1
route 192.168.10.0 255.255.255.0
secret /etc/openvpn/openvpn.key
daemon

This will cause each router to connect to the other over a separate subnet used to glue the 2 together and make each side aware of the other's network.  You'll probably also need to add another rule to your iptables script to allow forwarded packets out on the tun0 interface, ie: `iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT`.  You also can tear down the br-lan bridge since you won't need it in a routed configuration.

You'll notice that in the samples above I didn't push anything or set the client to pull directives from the server.  This is because making the server aware of how to route to the client's LAN in such a setup requires the use of ccd files with an iroute declaration.  If you need to have more than 1 VPN client connected each with a unique subnet behind it you will need to set this up.  If not, this setup is much easier.

As a side note, if these VPN hosts are not the default gateway at each location you will also need to add a static route on your default gateway so it knows to send packets bound for the other network to the VPN host and not out to the Internet.

I can't get any packets transmitted between the two LANs. I have replicated
http://forum.openwrt.org/viewtopic.php?pid=10701#p10701 (e.g. 10.0.0.1,2)
exactly with the expected result, but am having trouble replicating that
success on the actual LANs.

I'm in need of some advice, any suggestions are greatly appreciated:

The LAN networks are:

	LAN1: 192.168.10.0   (DHCP .50-.130, static .2-.6)
	LAN2: 192.168.30.0   (DHCP .10-.130)

The OpenWRT public IP addresses (fictionalized) are:

	IP1: 5.6.7.162    (fictional)
	IP2: 5.6.7.179    (fictional)

OpenVPN Config on IP1/LAN1:

	/etc/openvpn/server.conf
	dev tap0
	local 5.6.7.162
	remote 5.6.7.179
	port 1194
	server-bridge 192.168.10.137 255.255.255.0 192.168.10.138 192.168.10.254
	push "route 192.168.10.0 255.255.255.0"
	secret /etc/openvpn/openvpn.key
	daemon

OpenVPN Config on IP2/LAN2:

	/etc/openvpn/client.conf:
	client
	dev tap0
	remote 5.6.7.162
	port 1194
	secret /etc/openvpn/openvpn.key
	daemon
  

-- 
Josh

Attachment: signature.asc
Description: OpenPGP digital signature