|
|
In message <BAY128-W24BDD0039AD96FA470FE87A6C00@xxxxxxx>, Pasada Khumprakob <khumprp@xxxxxxxxxxx> wrote: > > Hi Timothy 0 I'll assume there is a router (not a router appliance acting as a switch), but no NAT, between the OpenVPN client and server. If not please tell us. It would help if you told us what sort of router you had, note that router appliances aimed at the domestic market are usually a 2 port NAT router + switch. > Thanks for the help. It makes sense what I am doing wrong now. One simple > question before I go and implemnent this... If the OpenVPN server address > is on a different subnet than the network I want to connect to, what am I > bridging? Bridging doesn't care about IP. There does need to be ethernet connectivity between the OpenVPN server and the other machines like as if they are on the same subnet. > > To clarify... My OpenVPN server address will be something like 201.0.0.25 > 255.255.255.192 and the machines that I want access to will be on > 201.0.0.193-254 on 255.255.255.192. The OpenVPN server will have one > physical NIC with the 201.0.0.25 address, and will bridge with the TAP > device which will not have an IP address either. The bridge will then take > over the IP address of ETH0 and have it set as 201.0.0.25. > > So I'm not sure if that is correct.... Do I change the IP of the bridge to > something in the subnet of the machines I want to access, or do I setup a > route to send the traffic from the OpenVPN server into the subnet I'm > accessing? As this a bridged VPN no routes should be set up to direct traffic over the VPN, and bridging doesn't care about IP address. The Linux software bridge is independent from the Linux IP stack. I did not suggest changing the server's IP address, however that will work if you give the router an IP address on both subnets, there are some catches: 1. You may not be able to configure your router to do this. 2. All IP traffic to or from (not via) the server will have to go through the router. 3. It is unusual, and therefore potential confusing to have 2 subnets on the same ethernet. My suggestion was to give an additional IP address to the server, to do that leave br0's IP address set to 201.0.0.195 and set dummy0's IP address to 201.0.0.25 (netmask 255.255.255.192). The dummy0 device will automatically appear when it is given an address if the kernel was built with it enabled. Then configure the router on the server's LAN to route traffic for the subnet 201.0.0.0 (netmask 255.255.255.192) to 201.0.0.195. All the routers concerned need to have a suitable route for the 201.0.0.0 subnet, they may already be configured appropriately. The port forwarding technique avoids this problem. Then see if you can ping 201.0.0.25 from the client. Use 201.0.0.25 in the client's remote option, and add "local 201.0.0.25" from the server's config file. -- OpenPGP key fingerprint: D0A6 F403 9745 CED4 6B3B 94CC 8D74 8FC9 9F7F CFE4 ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |