From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel L. Miller" Date: Mon, 10 Sep 2007 20:40:29 +0000 Subject: Re: [LARTC] OpenVPN routing Message-Id: <46E5ABBD.2050604@amfes.com> List-Id: References: <46E4E5E2.2070703@amfes.com> In-Reply-To: <46E4E5E2.2070703@amfes.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Alex Samad wrote: > On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: > >> Hi! >> >> I'm trying to create a routed VPN using OpenVPN - and having trouble with >> the routing concepts involved. Let me see if I can properly describe my >> current topology: >> >> Server - >> LAN, with both local workstations and remote bridged workstations on the >> 192.168.0.0/24 network (this works without reservation). >> Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few >> others. >> Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. >> Server can talk to clients, and clients can talk to server. >> >> My 1st goal is to allow selected server-side LAN workstations to reach the >> routed VPN workstations. The LAN should be invisible to the routed VPN. >> >> My 2nd goal is to allow selected server-side LAN workstations to reach >> networks server by routed VPN workstations as gateways [this involves >> OpenVPN more, I believe]. The LAN should still be invisible to the routed >> VPN. >> >> My server routing table is: >> 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 >> 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 >> 10.4.1.0/24 via 172.27.0.2 dev tun0 >> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 >> 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 >> 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 >> 172.27.0.0/16 via 172.27.0.2 dev tun0 >> default via 192.168.0.1 dev eth0 >> > > I think you need to use a tap device (I currently have a similar setup, but I > do not hide the LAN - infact I use openvpn to do site to site WAN) > > By hide the LAN you don't want to the openvpn clients to see the 192.168 > addresses if that is the case this is more a iptables question you will need to > nat the lan network going out, if you want in bound traffic you will need to > setup natting on the way back in as well - static though. > So do I need a source NAT directing all traffic intended for 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? > why do you want to hide the network - ? > The VPN is to provide me a secure static connection to customer's sites. However, those customers should be able to see neither each other, nor reach our internal LAN - unless the connection is initiated from our side. -- Daniel _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc