|
|
James, this looks good! :) I will try it as soon as possible and tell you the results. Frank > Von: James Yonan [mailto:jim@xxxxxxxxx] > > > Frank, > > The problem with having VPN bridge clients getting a DHCP address > is that DHCP > servers tend to give additional information to clients as well, such as a > gateway address. VPN clients definitely don't want or need a > gateway address > -- in fact if a VPN client accepts a gateway address from a > remote subnet via > DHCP, it will overwrite the real gateway address (which is a > function of your > current internet provider) and break all internet access. > > As luck would have it, I received an email just today that > describes a clever > fix for this problem (see below). BTW, I didn't invent the idea of tap > adapters having a 00:FF MAC prefix -- I just borrowed the idea > from the Linux > tap driver. > > James > > *************************************** > > I've been using openVPN since you ported it to windows, and I > must say it is > fantastic. In just 2 short weeks of testing, I have decided to scrap my > IPSec VPN that I have been using for my small business in place > of openVPN. > One thing that I have found to be immensely useful is the > ethernet bridging. > I would rather bridge than route for my particular situation, > because I want > my remote vpn clients to be on the same subnet as the office-bound clients > for myriad reasons. I did not like having to manually configure IP > addresses for each client, so I elected to use a dhcp server to serve my > remote clients an IP address through the openVPN tunnel. > > Rather than relying on client hostnames to distinguish between openVPN and > non-openVPN connections, I took advantage of your clever idea to > create MAC > addresses for the Tap adapters as 00:FF:xx:xx:xx:xx, and I wrote my > dhcpd.conf file accordingly. The reason this is necessary for me > is that I > do not want to hand out a default gateway or DNS server to my openVPN > clients, I only want local traffic going through the tunnel. I'm > sure there > are many other possible instances in which the dhcp server would like to > handle openVPN clients differently from standard clients, so I though I > would share my dhcp server config with you on the off chance that it might > be useful to others. This particular config is for ISC's dhcp3 > server, but > I'm sure it would work with just about anything. There is nothing > particularly clever or tricky about this config file, I just did > not happen > to see any examples of it anywhere, so if this could save someone > some time > and effort, that would be great: > > Thank you, Jim, for writing this fantastic piece of software. > > Sincerely, > Dave Lau > > ------------------------------------------------------------------ > ---------- > ------------------------------------- > > beefcake:/etc# cat /etc/dhcp3/dhcpd.conf > > ## If hardware address begins with 00:FF, the client is an > ## openvpn tap adapter, and we do not want to assign a > ## default gateway or router. Instead, assign them to a special > ## subclass and configure a pool which does not hand out > ## these parameters. > > class "openvpn" { > match if substring (hardware, 1, 2) = 00:FF; > } > subclass "openvpn" 00:FF; > > > ## subnet for br0 > > authoritative; > subnet 172.16.0.0 netmask 255.255.255.0 { > always-broadcast on; > max-lease-time 7200; > default-lease-time 3600; > option domain-name "ezone.net"; > option subnet-mask 255.255.255.0; > > pool { > deny members of "openvpn"; > range 172.16.0.150 172.16.0.254; > option routers 172.16.0.1; > option domain-name-servers 172.16.0.1; > option tftp-server-name "172.16.0.209"; > } > > pool { > allow members of "openvpn"; > range 172.16.0.100 172.16.0.149; > } > > } > > -- > |