|
|
Frank,
The problem with having VPN bridge clients getting a DHCP address is that DHCP
servers tend to give additional information to clients as well, such as a
gateway address. VPN clients definitely don't want or need a gateway address
-- in fact if a VPN client accepts a gateway address from a remote subnet via
DHCP, it will overwrite the real gateway address (which is a function of your
current internet provider) and break all internet access.
As luck would have it, I received an email just today that describes a clever
fix for this problem (see below). BTW, I didn't invent the idea of tap
adapters having a 00:FF MAC prefix -- I just borrowed the idea from the Linux
tap driver.
James
***************************************
I've been using openVPN since you ported it to windows, and I must say it is
fantastic. In just 2 short weeks of testing, I have decided to scrap my
IPSec VPN that I have been using for my small business in place of openVPN.
One thing that I have found to be immensely useful is the ethernet bridging.
I would rather bridge than route for my particular situation, because I want
my remote vpn clients to be on the same subnet as the office-bound clients
for myriad reasons. I did not like having to manually configure IP
addresses for each client, so I elected to use a dhcp server to serve my
remote clients an IP address through the openVPN tunnel.
Rather than relying on client hostnames to distinguish between openVPN and
non-openVPN connections, I took advantage of your clever idea to create MAC
addresses for the Tap adapters as 00:FF:xx:xx:xx:xx, and I wrote my
dhcpd.conf file accordingly. The reason this is necessary for me is that I
do not want to hand out a default gateway or DNS server to my openVPN
clients, I only want local traffic going through the tunnel. I'm sure there
are many other possible instances in which the dhcp server would like to
handle openVPN clients differently from standard clients, so I though I
would share my dhcp server config with you on the off chance that it might
be useful to others. This particular config is for ISC's dhcp3 server, but
I'm sure it would work with just about anything. There is nothing
particularly clever or tricky about this config file, I just did not happen
to see any examples of it anywhere, so if this could save someone some time
and effort, that would be great:
Thank you, Jim, for writing this fantastic piece of software.
Sincerely,
Dave Lau
----------------------------------------------------------------------------
-------------------------------------
beefcake:/etc# cat /etc/dhcp3/dhcpd.conf
## If hardware address begins with 00:FF, the client is an
## openvpn tap adapter, and we do not want to assign a
## default gateway or router. Instead, assign them to a special
## subclass and configure a pool which does not hand out
## these parameters.
class "openvpn" {
match if substring (hardware, 1, 2) = 00:FF;
}
subclass "openvpn" 00:FF;
## subnet for br0
authoritative;
subnet 172.16.0.0 netmask 255.255.255.0 {
always-broadcast on;
max-lease-time 7200;
default-lease-time 3600;
option domain-name "ezone.net";
option subnet-mask 255.255.255.0;
pool {
deny members of "openvpn";
range 172.16.0.150 172.16.0.254;
option routers 172.16.0.1;
option domain-name-servers 172.16.0.1;
option tftp-server-name "172.16.0.209";
}
pool {
allow members of "openvpn";
range 172.16.0.100 172.16.0.149;
}
}
Frank Plohmann <openvpn@xxxxxxxxxxxxxxxx> said:
> Hello everyone!
>
> I'm very new to OpenVPN and I have a problem getting OpenVPN with a DHCP to
> work. At first some background informations which are maybe needed.
>
> I downloaded the current "OpenVPN 1.5-beta6" packages (TAR sources for the
> Linux server and the installer for the Win2k clients). I also downloaded the
> current version of LZO (1.08) and compiled/installed it on the Linux machine
> to be able to compile the OpenVPN sources. OpenSSL is used in version
> 0.9.6i. I also installed the "bridge-utils" 0.9.6-2 to be able to enable
> ethernet bridging.
>
> The Linux server uses the 2.4.20 kernel (SuSE 8.2) and two ethernet
> adapters. eth0 is pointing to the intranet and eth1 is pointing to the
> internet (ADSL modem) with a dynamic IP. As firewall I use SuSEFirewall2 and
> the following three lines were added to the custom script.
>
> iptables -A INPUT -i tap+ -j ACCEPT
> iptables -A INPUT -i br0 -j ACCEPT
> iptables -A FORWARD -i br0 -j ACCEPT
>
> Bridging on eth0 (br0) is active by using the a slightly modified script
> from the "INSTALL-win32.txt" help file.
>
> If I use a fixed IP for the "my-tap" device on the Win2k clients it works
> very well. But if I try to use the DCHP running on the Linux server (to
> which I want connect via OpenVPN) the "my-tap" gets no correct IP address
> (0.0.0.0) and _nothing_ is working. The DHCP gives the clients normally an
> IP address in the range of 192.168.0.100 to 192.168.0.199 with netmask
> 255.255.255.0.
>
> Any idea why DHCP is not working with OpenVPN? Can I even get it to work
> with OpenVPN?
>
> Thanks,
> Frank
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Dice.com.
> Did you know that Dice has over 25,000 tech jobs available today? From
> careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
> best hiring companies. http://www.dice.com/index.epl?rel_code=104
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|