Proteus <proteus@uselessemail.net> wrote in
news:pan.2005.11.23.21.14.48.136311@uselessemail.n et:

> On Wed, 23 Nov 2005 20:57:00 +0000, Tauno Voipio wrote:
> ...
>> There are many different ways of setting up OpenVPN.
>> My recommendation is:
>> - tunneling at network layer (use tun0, not tap0),
>
> ok i will be sure to go with tun0
>
>> - a separate RFC1918 subnet for the VPN (e.g. 192.168.x.y)
>
> Not sure what that is, but my router has been set up as 192.168.1.1 as
> gateway, 255.255.255.0 subnet mask, and thus my main PC is 192.168.1.100
> -- so I hope that is ok to go with for now? (see below)

The subnet for the VPN must not conflict with the subnet being used for
ethX to talk to your your router or any other local subnets. The VPN uses
tun0 as though it were a real interface. Think of it as a "wire" running
between tun0 on one PC to the tun0 on the other. Each end of the "wire"
needs an ip address on the same subnet so you can route packets over the
tunnel. These are usually set up as a private RFC subnet but must not
conflict with any other private RFC subnets you are using. The Open VPN
Server can supply the address to the client as part of the process of
bringing up the tunnel which is actually established via ethX's ip
address. e.g you could have:


tun0 of the server could be 192.168.250.1/24
tun0 at the client gets assigned 192.168.250.x where x not= 1

You can route other subnets over the VPN tunnel via pushroutes in the
OpenVPN config or just add the routes after the VPN is established.

>
>> - UDP transport on the standard port (1194),
>
> yes I will go with UPD and 1194
>
>> - SSL encryption and key exchange
> ..
>
> Ok I got openvpn installed using urpmi, it was quite easy, now for the
> hard part, configuring it. It looks do-able though, I am actually rather
> excited to get it installed!
>
> Can I still leave my home cable router home PC LAN setting as
> 192.168.1.1 as the local address (gateway) with 255.255.255.0 subnet
> mask (so that my main PC is 192.169.1.100, etc)-- or do I need to change
> my router LAN network to something else?

Leave your PC lan and router setup alone. Just choose the VPN subnet so it
doesn't conflict with anything you already have.

> In the openVPN documentation
> on setting it up, it talks about "Numbering Private subnets", where
> 10.0.0.0 / 10.255.255.255.255 (10/8 prefix, whatever that means) is
> reserved block of IP address space for private interent protocols. The
> doc says "The best solution is to avoid using 10.0.0.0/24 or
> 192.168.0.0/24 LAB network addresses. Instead, use something that has a
> lower probability of being used in a Wifi cafe, etc. The best candidates
> are subnets in the middle of the vast 10.0.0.0/8 netblcok (for example
> 10.66.77.0/24)" I want to have my router set up correctly first, then I
> think I will be able to configure the config files with a little help.

Again, don't touch your router config. As long as normal internet access
is working, leave it alone. The only thing is if the router has a firewall
on it - you will have to make sure udp port 1194 is allowed through to get
the VPN tunnel established. The traffic actually carried over the VPN just
looks like udp port 1194 packets containing gobbledegook (because the real
data packets are encrypted and packeged up inside the UDP 1194 packets).

Klazmon