|
|
john@xxxxxxxxx wrote: > The server directive should be a non-routable, shouldn't it? > Yes - what's indicating otherwise? > i.e., I have > > server 10.0.2.0 255.255.255.0 > dev tun > topology subnet > I had to research that part - you're running either a patched version or the 2.1 beta? I'm running stock 2.0.9 - topology subnet not supported. Perhaps I need to explore the beta . . . . > I don't worry about local setting, it's optional and will bind to all the > internal ethernet cards on the network. > > by setting the topology to subnet and using the ifconfig-pool-persist > directive, the other ends get a consistent address within the 10.0.2.0/24 > network. In ther words, the server end of the tunnel gets 10.0.2.1 and the > client consistently gets 10.0.2.4 (in my case). > > I then push, from the server, the internal routes of the server, i.e., > push route "192.168.xx1.0 255.255.255.0" > push route "192.168.xx2.0 255.255.255.0" > etc (I'm pushing 4 routes) > This may be part of the answer. I DON'T want the VPN clients to see a route to the server LAN - I only want select members of my server LAN to be able to reach the clients. But I don't see why remote clients need to know my internal LAN routing - that's the whole idea of the router, to hide that! > and added > > client-to-client > > and > > persist-key > persist-tun > I don't want client-to-client behaviour. I am using persist-key, but I was having problems when clients would re-connect after communication interruption. A search of the archives pointed to persist-tun being a possible problem - haven't had that issue since I removed it. > Hopefully that will get you closer, Daniel, and hopefully it's not too > disjointed an explanation... it's getting late for a Sunday and I'm hitting > the rack. > Hope when you read this you've gotten some sleep. > The default client and server .conf files and their in-line comments helped > me a lot, and I really appreciated the fact that they were part of the > distribution. I had been struggling with openswan/ipsec and intermittent > connectivity for weeks. OpenVPN is far easier to set up and it consistently > works well. > No doubt. Wait a minute - as I type this I just had a brainstorm - does this mean each VPN client isn't on the 172.27.0.0/16 network?! So I need to adjust my server routing tables for a separate /30 network for each client?! Was that what I was missing?! Daniel ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |