[TriLUG] OpenVPN for Home

Alan Porter porter at trilug.org
Wed Oct 11 22:53:18 EDT 2006


jason at monsterjam.org wrote:
> im trying to set this up myself as well, and im getting lost with the ip addresses in this 
> example.. i.e. which is the address that the client gets when he connects? which network is the server on? i.e. is the server interface thats listening for the vpn connections on 
> 10.1.0.0/16 ? what is this 10.2.0.0 network?

In this case, mysvr is 10.1.1.1 and myclient is 10.2.1.1.
There are lots of 10.1.x.y machines NAT-ted behind mysvr.
And there are lots of 10.2.x.y machines NAT-ted behind myclient.

I am using openvpn to bridge these two networks together.
That is, one of them is my office and the other one is our
sister office in another state.

OpenVPN seems to be used to two different scenarios:
(1) bridging two networks together, like what I have shown
here (2) "road warrior" mode, where one user takes one PC
on the road and tried to get into his home network.


(1) bridging office 10.1 and office 10.2

10.1.1.2--+      at home              at work       +--10.2.1.2
10.1.1.3--+------10.1.1.1~~~~(vpn)~~~~10.2.1.1------+--10.2.1.3
10.1.1.4--+      mysvr                myclient      +--10.2.1.4
10.1.1.5--+                                         +--10.2.1.5


(2) "road warrior", accessing home while you're on the road

10.1.1.2--+      at home              on the road
10.1.1.3--+------10.1.1.1~~~~(vpn)~~~~10.2.1.1
10.1.1.4--+      mysvr                myclient
10.1.1.5--+


The only difference between bridging and "road warriors"
is whether or not the client is acting as a gateway for all
of the machines that are on his local network.

If you are just trying to access your home network from
your office (and not trying to use that same link for your
kids at home to hack into your office computers), then
you are a road warrior.  So get rid of the lines that
say "client_config_dir" "route 10.2.0.0 255.255.0.0"
(which tells openvpn to route all traffic destined to
10.2.x.y through the client).

--

One other thing that might be confusing is the way that
openvpn uses the 10.99.x.y addresses.  It will assign a
10.99.x.y address to the client and to the server.  These
are only used internally by the openvpn program itself.
If you had five VPN clients connected to your server,
the server would have 5 of these internal IP addresses
assigned to it, and each server would have one.

You don't really need to pay any attention to them, but
you must be careful to pick a subnet that's not going to
get in your way.  So I chose 10.99.x.y.

--

Sorry my earlier posting was brief... I saw that I had a
how-to file, and I forgot how sketchy it was on details.

But like I said in my first post, the hardest part is
picking your IP's and your naming conventions.

Alan






.




More information about the TriLUG mailing list