Thread: openvpn server bridge.
View Single Post

  #13 (permalink)  
Old 02-14-2007
music
 
Posts: n/a
Default Re: openvpn server bridge.
Tauno Voipio wrote:
> music wrote:
>> music wrote:
>>
>>> Tauno Voipio wrote:
>>>
>>>> music wrote:
>>>>
>>>>>
>>>>> Server vpn is in dmz controlled by a netscreen 204 firewall.
>>>>> Client has an adsl internet connection.
>>>>> Netscreen firewall opens upd 1194 in input while output is all open.
>>>>> Client has no firewall rules.
>>>>> I see that, when I try to ping server to client or client to
>>>>> server, there are many arp requests without answer.
>>>>> Sorry for my bad english.
>>>>> If you need more information ask me, thank you.
>>>>
>>>>
>>>>
>>>> A VPN is a connection of two private networks using
>>>> a public IP connection to transport the packets. To
>>>> do this, we need two IP addresses at each end of the
>>>> connection (called a tunnel): one to use the public
>>>> Internet (tunnel outside address) and another for the
>>>> private network data (tunnel inside address).
>>>>
>>>> OpenVPN provides two different ways of transferring
>>>> internal network data: routing IP packets (using tun0)
>>>> or bridging link-level (Ethernet) frames (using tap0).
>>>>
>>>> In your case, the inside ends of the tunnel seem to
>>>> be set up for transporting link-level (Ethernet)
>>>> frames to bridge the internal network segments
>>>> together. I do not see the necessary outside
>>>> interfaces and their addresses (for UDP port 1194)
>>>> in the setup you posted.
>>>>
>>>
>>> Do you mean the public ip?
>>> For client side I have an adsl internet connection with dinamic
>>> public ip.
>>> For server side the public ip is 82.85.10.18 and the netscreen
>>> firewall makes a nat between 172.16.14.14 and the public ip to allow
>>> connections from/to internet.
>>
>>
>> My vpn server has only one nic, the public ip is a NAT of the private ip.
>> May be a problem?
>
> Yes - for connecting the tunnel ends together, you need
> to port forward the UDP port of the public IP to the server,
> and configure your client VPN to connect to the server's
> public IP.
>
> It is not a good idea to bridge the VPN segments in a setup
> like this - the routing at the server may be impossible to
> set up properly. Probably you should have another private
> subnet for the tunnel inside addresses.
>

I want to say that if I configure openvpn using routing then it works.
If I use bridge it doesn't work.
Reply With Quote