|
|
On Wed, 2004-03-31 at 10:14, Michael Kelly wrote: > Hello again John, > > Okay I finally got into the setup of openVPN. Just to test the systems > I utilized the sample static-office.conf and static-home.conf and things > started fine. I am able to ping the office machine from home with the IP > 10.1.0.1 and ping the home machine from the office with 10.1.0.2 and > that is about where I have got to for now. > > I began re-reading your suggestions for setup and I have a few > questions but I will reiterate my setup first > > - main office has static IP address and all computers are behind a > hardware router. Samba server running in main office as well as apache > machine (this is running openVPN) > > - remote office has dynamic IP and all computers are behind a hardware > router. There will be a dedicated Linux box to run openVPN (it is > currently at my home for testing but my home has a dynamic IP and is > behind a hardware router) > > - no computers in either office are part of a domain > > Questions: > > First let me just say that I am still trying to gain an understanding > of all of the concepts involved by learning as I do > > I will post questions throughout your setup suggestions where I am not > clear on something > > > > 1. Set up your Samba server to be a WINS server. > 2. Set up all computers to use WINS, and point them to the IP address > of > the Samba server. > 3. Set up a site-to-site VPN using static keys. The trick here is to > use > different subnets on each side. Here's an example: > > Office LAN: 192.168.0.0/24 network > > Office VPN gateway (any arbitrary computer on the network you want to > run the VPN): 192.168.0.93. Make sure you set > /proc/sys/net/ipv4/ip_forwarding to "1" > > Office VPN connection settings: ifconfig 10.240.0.1 10.240.0.2 > (arbitrary private subnet, totally unrelated to the actual networks) > > - not to sure about this line. what I think is going on is that all > traffic on the 192.168.4.0 subnet is being routed through the tun > device Yes. The two tun devices (one on each end of the tunnel) use IP addresses unrelated to any of your other networks. By putting them all in some private subnet you don't use anywhere else, you can more easily set up routing. > - where would I put this line? Two lines. In your OpenVPN config file for the end in the 192.168.0.* gateway. First line: > route 192.168.4.0 255.255.255.0 Second line: (order doesn't matter) > dev tun > > > - not sure here either. I have the UDP port forwarded through the > hardware router to the correct machine, but get lost on the part about > routing all traffic for 10.240.0.0/30 and 192.168.4.0/24 to that same > machine. Where would I do this? Is this a line in a configuration file? > Office default gateway: forward UDP port 5000 to 192.168.0.93, route > all > traffic for 10.240.0.0/30 and 192.168.4.0/24 to 192.168.0.93 > Well, now, this all depends on your office default gateway. In this configuration, the default gateway is different than the VPN gateway. Without defining routes on your LAN back to the other end of the tunnel, your remote machines will only be able to contact the VPN gateway. When you try to connect to other computers on the LAN, those computers will send the response back to where it appeared to come from--either 10.240.0.x if it came from your remote VPN gateway, or 192.168.4.x if it came from another computer on the remote LAN. These response packets will go to the default gateway, because the other machines on your office LAN don't have a route for these addresses. So you need to figure out how to add these static routes to your default gateway, to send them back to your office VPN gateway. You said your default gateway was some sort of hardware router. That's where you need to add these routes. There may be a web page to help configure them (usually under some sort of advanced tab). If it's Linux-based, you may be able to set up a script that adds the routes on boot... > > - For the remote office you have utilized the 192.168.4.XXX IP range. > Is it a problem if the remote office is setup to use the same > 192.168.0.XXX range, providing there are no IP conflicts? > Yes. The examples I'm providing use specific subnets in the routing table to get the traffic routed correctly. It's much easier to use different subnets for different locations, and not overlap these addresses. It's much easier to change the private IP subnet than to get complicated routing rules to work... > - again a bit confused, okay, totally confused, about the routing. > Remote gateway: route all traffic for 10.240.0.0/30 and 192.168.0.0/24 > to 192.168.4.43 > This is the mirror image of the configuration for the office default gateway--sends all the response packets back to the VPN gateway to go through the tunnel. > Remote VPN connection settings: remote office.domain.name, ifconfig > 10.240.0.2 10.240.0.1 route 192.168.0.0 255.255.255.0 dev tun > > > - to achieve this next part I would just open UDP port 5000 on the > remote office router as well and have it forward traffic to the > 192.168.4.43 machine (possible 192.168.0.43 as discussed at the > beginning of this remote section. You only need to forward the port on one side--the side with a static IP address. I just run OpenVPN all the time on the office LAN, and have the port forwarded. Then I can connect from anywhere else, no additional port forwarding necessary. > Remote VPN Gateway: 192.168.4.43 (any arbitrary machine running > OpenVPN--just make sure your gateway points to this). Make sure you > set > /proc/sys/net/ipv4/ip_forwarding to "1" > > - this is just the IP range for the system in the remote office > correct? > Remote subnet: 192.168.4.0/24 > Yes. > > > Thank you again for all of your time John, it is very much appreciated. > I apologize if some of my questions seem a bit trivial, but this is my > first real venture into serious networking. It's not all that hard, once you figure it out. Read up on IP addresses, subnet masks, and routing, and you'll have it all figured out in no time. Cheers, -- John Locke Open Source solutions for small business problems http://freelock.com ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |