[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN client to server, bridge LANs

  • Subject: Re: [Openvpn-users] OpenVPN client to server, bridge LANs
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Wed, 16 Jan 2008 01:45:30 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID088maPHtl0044X28

Jeff Kowalczyk wrote:
On Wed, 16 Jan 2008 00:56:38 -0600, Josh Cepek wrote:
Jeff Kowalczyk wrote:
I'm trying to establish a bridged connection between two LANs with two OpenWRTs
(WRT65GL, kamikaze release) Running OpenVPN 2.0.9.
You don't want bridging. In a bridged setup both your LAN networks would need to be the same subnet and would thus share broadcast services such as DHCP between them (unless otherwise firewalled.) From your unique LAN subnets I'm assuming your goal is to exchange IP data between the clients of both LAN's, in which case you shouldn't use bridging.

Thanks for the reply, it's very informative. Before I change to routing, I
should mention that this is an (unscheduled) migration from an IPSec IKE.

The Windows PCs on both subnets are looking to a Windows Domain
Controller on LAN1 for DHCP, Active-Directory integrated DNS and
file/printer sharing.

All IP based protocols will work, but DHCP and Windows NBNS need some custom attention. If you want your DHCP server on your primary LAN to provide the IP address (and other associated options like DNS, WINS, and other DHCP-related settings) you will need to set up a DHCP relay agent on the OpenWRT. The dhcp-fwd package can do this, and you'll also need to set up your DHCP server at the main office with a 2nd subnet for the IP range of your remote site.

Windows subnets usually use NBNS to resolve computer names, which is a broadcast-based protocol. WINS is usually used in situations where a domain spans more than 2 subnet, so you may want to look at configuring a WINS server and pushing it out in your DHCP options if necessary.

LAN2 is small, and the dozen or so PCs could be migrated to, sharing a bridged subnet with on LAN2.

While you could use bridging in this capacity you will suffer a performance hit as broadcasts on the subnet are sent across the Internet through your VPN tunnel. Especially in a Windows network, this broadcast traffic can amount to a bit depending on the number of hosts. If you can avoid it don't use bridging since it's slightly less efficient in terms of the packet header and will cause considerably more traffic to go across your VPN link.

In light of those considerations, do I still want to use routing over

Yes, unless there's a really really good reason not to. I've set up a similar configuration before where remote offices needed to gain access to a pre-existing infrastructure, and routing works quite nicely after DHCP/WINS has been handled.


Attachment: signature.asc
Description: OpenPGP digital signature