re [KLUG Members] OpenVPN & DHCP

[bill]

Hi Mike,

Thanks for explaining that.  I think I understand now.  I didn't realize
the vpn network was a sort of "virtual" ip range on a "virtual"
adapter.  Would the tun0 interface show up, then, on something like
ifconfig?

The VPN IP address range in server.conf just needs to be a private range
that doesn't exist on either client or server LAN?  

Is there a possible problem if the two LANs (client & server) have
similar ip addresses?  For example, if the client is on a 192.168.0.x
range and the server is also on a 192.168.0.x range does that create any
sort of problem?

kind regards,

bill

On Sun, 2005-06-19 at 17:50, Mike Williams wrote:
> >
> >
> >I'm getting very close to testing an OpenVPN setup, but have become
> >stumped at the server config.
> >
> >1. How can I limit the OpenVPN server to a DHCP range subset when
> >another DHCP server exists on the LAN?
> >
> >Current DHCP server serves range x.x.x.100 to x.x.x.175
> >
> >I want the OpenVPN server to use x.x.x.76 to x.x.x.200
> >
> >The only related config parameter in server.conf is
> > 
> >server x.x.x.0 255.255.255.0
> >
> >2. The above config line also sets the OpenVPN server at x.x.x.1
> >
> >But the current DHCP server is at that address.  The OpenVPN server
> >already has it's own address on the LAN, will it assume another one as
> >the VPN server?  If so, how do I set it so it won't conflict?
> >  
> >
> The new IPs that OpenVPN needs will not be created on the LAN, they'll 
> be created in a new range, as part of a new network.
> 
> When OpenVPN starts it creates tun0, which appears as an additional 
> network adapter.  The tunnel interface needs an IP address on an IP 
> range separate from what you're using on the other adapters so it can 
> route properly.  Pick a private range that you're not using for anything 
> else.  If you're establishing secure communictation between two machines 
> on the Internet, each machine will have an IP address on two networks:  
> the Internet, and the encrypted network with the private range.  If the 
> machines are also firewalls or routers for private IPs on an inside LAN, 
> they will be members of three networks:  private LAN, Internet, and tunnel.
> 
> My firewall/VPNs are set up this way:  Each has an Internet IP, an 
> internal IP (192.168.40.x and 192.168.41.x for the two sides), and a 
> tunnel IP (172.16.5.1 and 172.16.5.2).  So there's a total of four 
> networks between them, if you count the Internet only once:  Kalamazoo 
> internal, Grand Rapids internal, Internet, and the tunnel "network" of 
> IPs.  In theory, I could add a third machine (and more if I wanted to 
> deal with some really messy routing tables) at 192.168.42.x inside and 
> 172.16.5.3 for the tunnel IP. 
> 
> Does that help?
> 
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
> 
> 
>