On Mon, Sep 10, 2007 at 03:48:13PM -0700, Daniel L. Miller wrote: > Alex Samad wrote: >> On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: >> >>> Alex Samad wrote: >>> >>>> On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: >>>> >>>>> Hi! >>>>> >>>>> I'm trying to create a routed VPN using OpenVPN - and having trouble >>>>> with the routing concepts involved. Let me see if I can properly >>>>> describe my current topology: >>>>> >>>>> Server - >>>>> LAN, with both local workstations and remote bridged workstations on >>>>> the >>>>> 192.168.0.0/24 network (this works without reservation). >>>>> Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few >>>>> others. >>>>> Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. >>>>> Server can talk to clients, and clients can talk to server. >>>>> >>>>> My 1st goal is to allow selected server-side LAN workstations to reach >>>>> the routed VPN workstations. The LAN should be invisible to the routed >>>>> VPN. >>>>> >>>>> My 2nd goal is to allow selected server-side LAN workstations to reach >>>>> networks server by routed VPN workstations as gateways [this involves >>>>> OpenVPN more, I believe]. The LAN should still be invisible to the >>>>> routed VPN. >>>>> >>>> I think you need to use a tap device (I currently have a similar setup, >>>> but I do not hide the LAN - infact I use openvpn to do site to site WAN) >>>> >>>> By hide the LAN you don't want to the openvpn clients to see the 192.168 >>>> addresses if that is the case this is more a iptables question you will >>>> need to nat the lan network going out, if you want in bound traffic you >>>> will need to setup natting on the way back in as well - static though. >>>> >>> So do I need a source NAT directing all traffic intended for >>> 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? >>> >> Okay then you just want out bound, pretend the customers site is the >> internet, SNAT should do it (and a firewall just to be safe), you should >> only need one on the client's openvpn side, but because that is not in >> direct controll of you (physcially), I would probably suggest snat'ting >> again on your openpvn server or the firewall rules >> > I've put in a snat on the server side - seems to be working fine. >> So >> At your site >> >> * Set routing either fix up the default route or add routing to each >> client machine (the former being the easier of the 2) >> * Set up a firewall >> * setup SNAT or push a route through to the client 'push "route >> 192.168.8.0 255.255.252.0"' - done in the openvpn server config (the >> later is probably the better - stay away from the double natting ) >> >> >> one the customer site >> * Set up SNAT hide everything coming from your site being the local lan >> address >> * set up a firewall >> >> So all traffic coming from your site will end up on the customer site with >> a local lan address. >> >> There is no routing back into your lan, because of a) routing b) firewall >> on the customer site c) firewall on the server. >> >> a & b are easy to get around because they are at the customer site. C is >> where you protection is. >> > Customer's site not under my control - and running Windows so my linux > options are rather limited <g>. So I need to do everything within the > server and OpenVPN. I CAN push a route to the client - but I still don't > see why I need to share my LAN information with the clients at all - I just > need the OpenVPN client to be a gateway for the VPN and forward VPN traffic > from the remote network. if you are using snat you shouldn't. if you have setup a ip network for the vpn ie if your server ip address is not in the network for the customer you will need snat'ing there else the client machine will not know how to get back. > > -- > Daniel > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
