[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN 192.168.30.1 client to 192.168.10.1 server, bridge LANs


  • Subject: Re: [Openvpn-users] OpenVPN 192.168.30.1 client to 192.168.10.1 server, bridge LANs
  • From: Jeff Kowalczyk <jtk@xxxxxxxxx>
  • Date: Wed, 16 Jan 2008 02:13:43 -0500

On Wed, 16 Jan 2008 00:56:38 -0600, Josh Cepek wrote:
> Jeff Kowalczyk wrote:
>> I'm trying to establish a bridged connection between two LANs with two OpenWRTs
>> (WRT65GL, kamikaze release) Running OpenVPN 2.0.9.
>>   
> 
> You don't want bridging.  In a bridged setup both your LAN networks 
> would need to be the same subnet and would thus share broadcast services 
> such as DHCP between them (unless otherwise firewalled.)  From your 
> unique LAN subnets I'm assuming your goal is to exchange IP data between 
> the clients of both LAN's, in which case you shouldn't use bridging.

Thanks for the reply, it's very informative. Before I change to routing, I
should mention that this is an (unscheduled) migration from an IPSec IKE.
VPN.

The Windows PCs on both subnets are looking to a Windows Domain
Controller on LAN1 for DHCP, Active-Directory integrated DNS and
file/printer sharing.

LAN2 is small, and the dozen or so PCs could be migrated to
192.168.10.150+, sharing a bridged subnet with 192.168.10.2-150 on LAN2.

In light of those considerations, do I still want to use routing over
bridging?

Thanks again for the details on the routed configuration. I will try it
out and report back.

Jeff

> Try this as your modified config for the LAN1 router:
> 
> /etc/openvpn/server.conf
> dev tun0
> local 5.6.7.162
> remote 5.6.7.179
> port 1194
> ifconfig 10.8.0.1 10.8.0.2
> route 192.168.30.0 255.255.255.0
> secret /etc/openvpn/openvpn.key
> daemon
> 
> 
> And this for LAN2:
> 
> /etc/openvpn/server.conf
> dev tun0
> remote 5.6.7.162
> port 1194
> ifconfig 10.8.0.2 10.8.0.1
> route 192.168.10.0 255.255.255.0
> secret /etc/openvpn/openvpn.key
> daemon
> 
> 
> This will cause each router to connect to the other over a separate 
> subnet used to glue the 2 together and make each side aware of the 
> other's network.  You'll probably also need to add another rule to your 
> iptables script to allow forwarded packets out on the tun0 interface, 
> ie: `iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT`.  You also can tear 
> down the br-lan bridge since you won't need it in a routed configuration.
> 
> You'll notice that in the samples above I didn't push anything or set 
> the client to pull directives from the server.  This is because making 
> the server aware of how to route to the client's LAN in such a setup 
> requires the use of ccd files with an iroute declaration.  If you need 
> to have more than 1 VPN client connected each with a unique subnet 
> behind it you will need to set this up.  If not, this setup is much easier.
> 
> As a side note, if these VPN hosts are not the default gateway at each 
> location you will also need to add a static route on your default 
> gateway so it knows to send packets bound for the other network to the 
> VPN host and not out to the Internet.
> 
>> I can't get any packets transmitted between the two LANs. I have replicated
>> http://forum.openwrt.org/viewtopic.php?pid=10701#p10701 (e.g. 10.0.0.1,2)
>> exactly with the expected result, but am having trouble replicating that
>> success on the actual LANs.
>>
>> I'm in need of some advice, any suggestions are greatly appreciated:
>>
>> The LAN networks are:
>>
>> 	LAN1: 192.168.10.0   (DHCP .50-.130, static .2-.6)
>> 	LAN2: 192.168.30.0   (DHCP .10-.130)
>>
>> The OpenWRT public IP addresses (fictionalized) are:
>>
>> 	IP1: 5.6.7.162    (fictional)
>> 	IP2: 5.6.7.179    (fictional)
>>
>> OpenVPN Config on IP1/LAN1:
>>
>> 	/etc/openvpn/server.conf
>> 	dev tap0
>> 	local 5.6.7.162
>> 	remote 5.6.7.179
>> 	port 1194
>> 	server-bridge 192.168.10.137 255.255.255.0 192.168.10.138 192.168.10.254
>> 	push "route 192.168.10.0 255.255.255.0"
>> 	secret /etc/openvpn/openvpn.key
>> 	daemon
>>
>> OpenVPN Config on IP2/LAN2:
>>
>> 	/etc/openvpn/client.conf:
>> 	client
>> 	dev tap0
>> 	remote 5.6.7.162
>> 	port 1194
>> 	secret /etc/openvpn/openvpn.key
>> 	daemon
>>


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users