re [KLUG Members] OpenVPN & DHCP
bill
bill at billtron.com
Sun Jun 19 21:18:24 EDT 2005
Hi Mike,
Thanks for explaining that. I think I understand now. I didn't realize
the vpn network was a sort of "virtual" ip range on a "virtual"
adapter. Would the tun0 interface show up, then, on something like
ifconfig?
The VPN IP address range in server.conf just needs to be a private range
that doesn't exist on either client or server LAN?
Is there a possible problem if the two LANs (client & server) have
similar ip addresses? For example, if the client is on a 192.168.0.x
range and the server is also on a 192.168.0.x range does that create any
sort of problem?
kind regards,
bill
On Sun, 2005-06-19 at 17:50, Mike Williams wrote:
> >
> >
> >I'm getting very close to testing an OpenVPN setup, but have become
> >stumped at the server config.
> >
> >1. How can I limit the OpenVPN server to a DHCP range subset when
> >another DHCP server exists on the LAN?
> >
> >Current DHCP server serves range x.x.x.100 to x.x.x.175
> >
> >I want the OpenVPN server to use x.x.x.76 to x.x.x.200
> >
> >The only related config parameter in server.conf is
> >
> >server x.x.x.0 255.255.255.0
> >
> >2. The above config line also sets the OpenVPN server at x.x.x.1
> >
> >But the current DHCP server is at that address. The OpenVPN server
> >already has it's own address on the LAN, will it assume another one as
> >the VPN server? If so, how do I set it so it won't conflict?
> >
> >
> The new IPs that OpenVPN needs will not be created on the LAN, they'll
> be created in a new range, as part of a new network.
>
> When OpenVPN starts it creates tun0, which appears as an additional
> network adapter. The tunnel interface needs an IP address on an IP
> range separate from what you're using on the other adapters so it can
> route properly. Pick a private range that you're not using for anything
> else. If you're establishing secure communictation between two machines
> on the Internet, each machine will have an IP address on two networks:
> the Internet, and the encrypted network with the private range. If the
> machines are also firewalls or routers for private IPs on an inside LAN,
> they will be members of three networks: private LAN, Internet, and tunnel.
>
> My firewall/VPNs are set up this way: Each has an Internet IP, an
> internal IP (192.168.40.x and 192.168.41.x for the two sides), and a
> tunnel IP (172.16.5.1 and 172.16.5.2). So there's a total of four
> networks between them, if you count the Internet only once: Kalamazoo
> internal, Grand Rapids internal, Internet, and the tunnel "network" of
> IPs. In theory, I could add a third machine (and more if I wanted to
> deal with some really messy routing tables) at 192.168.42.x inside and
> 172.16.5.3 for the tunnel IP.
>
> Does that help?
>
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
>
>
>
More information about the Members
mailing list