Openvpn with fixed ips
Line 53: | Line 53: | ||
fixed-address 192.168.1.107; | fixed-address 192.168.1.107; | ||
} | } | ||
+ | here we match for mac address that starts by 00:ff,because tap devices do,and we assign them to the openvpn class... | ||
+ | then we allow known and unknown clients but deny the right of the client's tap interface to get an ip in this range | ||
+ | then at the end we assign an ip to a client...that makes the ports redirections easier |
Revision as of 16:51, 11 July 2008
Introduction
We already explored openvpn with dhcp...here we will have fixed ips without dhcp...here's the setting:
- isc-dhcp40-server
- bind95
- openvpn
with this setup we will be able to see the internal network from an external connection:
Setup
here's openvpn.conf:
ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/server.crt key /usr/local/etc/openvpn/keys/server.key dh /usr/local/etc/openvpn/keys/dh1024.pem # USE TAP ON SERVER AND CLIENT SIDE ! dev tap #ifconfig-pool-persist ipp.txt # replace 192.168.1.101 with the VPN IP server-bridge 192.168.0.1 255.255.254.0 192.168.0.2 192.168.0.250 keepalive 10 120 client-to-client verb 3 duplicate-cn push "route-gateway 192.168.0.1" push "dhcp-option DNS 192.168.0.1" # push DNS entries to openvpn client push "redirect-gateway" #redirect-gateway client-config-dir /usr/local/etc/openvpn/config
here's the content of a client config in /usr/local/etc/openvpn/config i named this file with the name of the certificate: port4 : that is needed so it will assign this ip to the owner of the port4 certificate
ifconfig-push 192.168.0.107 255.255.254.0
here's the content of /usr/local/etc/dhcpd.conf
option domain-name "workgroup"; ddns-update-style none; class "openvpn" { match if substring (hardware,1,2) = 00:ff; } subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; option domain-name-servers 192.168.1.1; pool { deny members of "openvpn"; allow unknown-clients; allow known-clients; ddns-updates off; range 192.168.1.100 192.168.1.199; } } host port4 { hardware ethernet 00:16:6f:b9:02:a4; fixed-address 192.168.1.107; }
here we match for mac address that starts by 00:ff,because tap devices do,and we assign them to the openvpn class... then we allow known and unknown clients but deny the right of the client's tap interface to get an ip in this range then at the end we assign an ip to a client...that makes the ports redirections easier