|
|
After some headache, I finally have a workable openvpn solution to connection to my office network (behind a firewall) to my home network. On my office network I am running openvpn on my windows XP PC, which is behind the firewall and therefore both inaccessible from the outside and doesn't have it's own external IP (the firewall uses NAT). At home, I have a linux box connected to my ISP and the rest of my computers (and my laptop, which is the machine I really use) are on a local subnet that is also NAT-ed to the rest of the Internet. On my office PC I setup openvpn (tap adapter's address as 192.168.0.1) and then enabled "Internet Connection Sharing" (which is basically a NAT)on my real ethernet card (address 192.168.50.131) and setup openvpn with the remote address of my linux box. On my home linux box, I setup openvpn with a floating remote address (since it has to wait for the connection in order to get through the firewall). The ethernet card on my local network is 192.168.0.10 Then I created a vpn-up.sh script (--up vpn-up.sh): ifconfig tap0 192.168.0.2 route add -net 192.168.50.0 gw 192.168.0.1 netmask 255.255.255.0 tap0 For some things to work, it was better if I also enabled NAT on tap0 (yes, I know there is a lot of NAT going on here): iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE The only other tricky thing was making sure the following lines are in the openvpn-config file on the linux box (took me a bit to realize I had to use "dev tap" in order to connect to windows: dev tap dev-node /dev/net/tun Works like a charm and I didn't need help (or permission ;) from the office I.T. guys to do it! Only downside is I can't connect to the office while travelling, unless I make a second VPN connection from my laptop to home. Unless anyone has a clever way of setting my office PC up in such a way that it can connect to a dynamic IP? Hope this helps some people (and maybe your can incude some of these details in the Windows FAQ for future new users!) Cheers, Brett PS To the creators of and contributors to the OpenVPN project, I'd like to say I love it! Great work! Let me know if I could be of any help to the project... -----Original Message----- From: James Yonan To: Kristof Hardy; openvpn-users@xxxxxxxxxxxxxxxxxxxxx Sent: 8/7/2003 6:10 AM Subject: Re: [Openvpn-users] openvpn 1.5b4 on win32 Kristof Hardy <kristof.hardy@xxxxxxxxxxxxxxx> said: > Hi, > > I've been testing the windows port a few times now, and it works very > good. From the road warrior I can ping my OpenVPN 1.5b4 Linux box to > wich I'm connected (and vice versa). So that's perfect. > > But how can I reach my network behind this Linux gateway? (is it just a > routing problem at my side (I'll punch myself and go after it if that's > the case :)) or is there anything I've missed?) > > Do I have to use the Ethernet bridging part (in the howto) to establish > the connection to my subnet? Yes, ethernet bridging is one possibility. There is also proxy ARP which I have not used personally, but others on this list have (HOWTO anyone?) You could also use IP routing to make this work: The road warrior would need a route command that routes all IP addresses of the remote subnet into the TAP-Win32 adapter (the route command is usually implemented in an --up script) Normally you don't also need a special route on the linux end of the connection if the linux box is also a gateway for the subnet. Make sure to use a different subnet for the virtual tap LAN than you do for the physical ethernet, and make sure the tap network/subnet matches on both ends of the connection. If you are bridging, you would do just the opposite, i.e. use the exact same subnet on the tap LAN as on the physical ethernet. Some people prefer bridging because it also passes broadcasts over the VPN, which makes it easy to do samba/windows browsing and file sharing. Others avoid bridging for the same reason -- passing broadcast traffic eats up limited VPN bandwidth and doesn't scale well. I personally use bridging when I work from my laptop at WiFi cafes, and I find that the broadcast traffic is not a problem when connecting to a small subnet. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |