pavement

Talk:OpenVPN

From FreeBSDwiki
Revision as of 22:18, 19 July 2007 by Dave (Talk | contribs)
Jump to: navigation, search

the tunnel marked #0 is the windows one, no? just checking to make sure...

--Dave 13:49, 8 June 2007 (EDT)

I'm curious here and I dunno

does the network on the inside of the VPN need to be routeable outside the vpn?

Let's say I'm RoadWarrior#1, public IP is 256.1.1.1 and private IP in the hotel I'm at is 192.168.0.123, and I connect to the VPN as set up on the article page -- I will be getting a 10.10.11./26 address or whatever it is (not checking just now....). Does my traffic from inside the VPN to machines in the VPN's network (a work resource like a share or printer or whatever) get natted out as the VPN itself or the addresses of the taps?

--Dave 15:27, 19 July 2007 (EDT)

how it works

> public IP is 256.1.1.1 
> private IP in the hotel I'm at is 192.168.0.123
>
> I connect to the VPN as set up on the article page

There is no NAT. You'll have a (static by your openvpn.conf file) private IP address, which your office's network needs to know how to route to. Your office neither knows nor cares what the "Local Area Connection" IP address is, ie the hotel's 192.168.0.123 - the office isn't speaking to that; the office is speaking to the OpenVPN adapter with the 10.10.10.2 address. By contrast, your road warrior workstation gets a route set up (again, statically by way of openvpn.conf) that tells it to route all traffic for the office's subnet(s) through 10.10.10.1 - which is the tap IP address for the OpenVPN server in the office.

Ideally you want the default gateway for the office to know to route any packets for 10.10.10.x through the office IP address for the OpenVPN server, so that the road warrior can access the entire subnet(s) at the office without having to worry about whether each individual machine there has been set up to route through the OpenVPN server.

Capiche?

There are other ways to do it, but that's the way I do it. (PS you only really need a /30 for the OpenVPN subnet - the only two machines on it are the OpenVPN server and the road warrior. The OpenVPN server will probably have quite a few tap interfaces, each with their own tiny subnet, which you connect your road warriors to. Again, that's the way I do it at any rate. It's possible to do it differently, but I currently don't.)

--Jimbo 19:21, 19 July 2007 (EDT)

ahhhhh

i gets it better now. well, my office is a switched environment, but my VPN will be in the DMZ, which because of the placement of the FW will mean my route will go on my FW. Easy-peasy.

danke schoen Jimboner

--Dave 23:18, 19 July 2007 (EDT)

Personal tools