OpenVPN as bridge setup

Hi folks,
I need help:
===============================
Environment:
A Linux (Debian) PC with iptables firewall.
On this firewall pc is openvpn installed in
bridge mode.
The connection seems OK.
The client pc (XP) says "connected"!

All internal/external(Internet) connections work
without obvious problems (No OpenVPN at this time).
So I assume the routes on the firewall PC OK.

Firewall PC = openvpn PC

Firewall PC has following interfaces/subnets:
eth1) Internet: 83.82.81.1 (public / out: masquerading)
eth2) Internal LAN (192.168.100.x): 192.168.100.254
eth3) DMZ (83.82.81.x): 83.82.81.254
eth4) WLAN (192.168.101.x) 192.168.101.254

OpenVPN is setup as a bridge on eth2.

Question: has the bridge to be bound to eth3 and eth4
explicitly?
If so: HOW? (I have no clue how the syntax looks for another
bridge)
Connection from the client will be to eth1. The internet i/f.

Any objections on the setup idea?

Any suggestions?

Best
Juergen
===============================
Setup in bridge-start:
br="br0"
tap="tap0"
eth="eth2"
eth_ip="192.168.100.254"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.100.255"
....

"Juergen Loewner" <JLoewner@JLoewnerEDV.com> wrote in news:e6sb4j$js9$1
@news.citykom.de:

> Hi folks,
> I need help:
> ===============================
> Environment:
> A Linux (Debian) PC with iptables firewall.
> On this firewall pc is openvpn installed in
> bridge mode.
> The connection seems OK.
> The client pc (XP) says "connected"!
>
> All internal/external(Internet) connections work
> without obvious problems (No OpenVPN at this time).
> So I assume the routes on the firewall PC OK.
>
> Firewall PC = openvpn PC
>
> Firewall PC has following interfaces/subnets:
> eth1) Internet: 83.82.81.1 (public / out: masquerading)
> eth2) Internal LAN (192.168.100.x): 192.168.100.254
> eth3) DMZ (83.82.81.x): 83.82.81.254
> eth4) WLAN (192.168.101.x) 192.168.101.254
>
> OpenVPN is setup as a bridge on eth2.
>
> Question: has the bridge to be bound to eth3 and eth4
> explicitly?
> If so: HOW? (I have no clue how the syntax looks for another
> bridge)
> Connection from the client will be to eth1. The internet i/f.

See this:

http://openvpn.net/bridge.html

>
> Any objections on the setup idea?
>
> Any suggestions?
>
> Best
> Juergen
> ===============================
> Setup in bridge-start:
> br="br0"
> tap="tap0"
> eth="eth2"
> eth_ip="192.168.100.254"
> eth_netmask="255.255.255.0"
> eth_broadcast="192.168.100.255"
> ...
>
>
>
>

Dear Klaszman,
I used your ref:
> http://openvpn.net/bridge.html
to set the bridge up.

Guess it is working.
At least for 192.168.100.x

No idea what with the other subnets.
There is no hint how to handle the situation when
bridging into severa subnets.

Has anyone an idea how to check this when I am inside the
net and configuring it?

I think about a proxy or so.
It is somewhat cumbersome when it is going to check the openvpn
from the inside

Best Juergen.

"Llanzlan Klazmon" <Klazmon@llurdiaxorb.govt> schrieb im Newsbeitrag
news:Xns97E4A7F591824Klazmonllurdiaxorbgo@203.97.3 7.6...
> "Juergen Loewner" <JLoewner@JLoewnerEDV.com> wrote in news:e6sb4j$js9$1
> @news.citykom.de:
>
>> Hi folks,
>> I need help:
>> ===============================
>> Environment:
>> A Linux (Debian) PC with iptables firewall.
>> On this firewall pc is openvpn installed in
>> bridge mode.
>> The connection seems OK.
>> The client pc (XP) says "connected"!
>>
>> All internal/external(Internet) connections work
>> without obvious problems (No OpenVPN at this time).
>> So I assume the routes on the firewall PC OK.
>>
>> Firewall PC = openvpn PC
>>
>> Firewall PC has following interfaces/subnets:
>> eth1) Internet: 83.82.81.1 (public / out: masquerading)
>> eth2) Internal LAN (192.168.100.x): 192.168.100.254
>> eth3) DMZ (83.82.81.x): 83.82.81.254
>> eth4) WLAN (192.168.101.x) 192.168.101.254
>>
>> OpenVPN is setup as a bridge on eth2.
>>
>> Question: has the bridge to be bound to eth3 and eth4
>> explicitly?
>> If so: HOW? (I have no clue how the syntax looks for another
>> bridge)
>> Connection from the client will be to eth1. The internet i/f.
>
> See this:
>
> http://openvpn.net/bridge.html
>
>>
>> Any objections on the setup idea?
>>
>> Any suggestions?
>>
>> Best
>> Juergen
>> ===============================
>> Setup in bridge-start:
>> br="br0"
>> tap="tap0"
>> eth="eth2"
>> eth_ip="192.168.100.254"
>> eth_netmask="255.255.255.0"
>> eth_broadcast="192.168.100.255"
>> ...
>>
>>
>>
>>
>

Dear Llanzlan Klazmon,

I just realize that I msspelled your name several times

Sorry about that negligence.

Best
Juergen

"Juergen Loewner" <JLoewner@JLoewnerEDV.com> schrieb im Newsbeitrag
news:e6thdb$vci$1@news.citykom.de...
> Dear Klaszman,
> I used your ref:
>> http://openvpn.net/bridge.html
> to set the bridge up.
>
> Guess it is working.
> At least for 192.168.100.x
>
> No idea what with the other subnets.
> There is no hint how to handle the situation when
> bridging into severa subnets.
>
> Has anyone an idea how to check this when I am inside the
> net and configuring it?
>
> I think about a proxy or so.
> It is somewhat cumbersome when it is going to check the openvpn
> from the inside
>
> Best Juergen.
>
> "Llanzlan Klazmon" <Klazmon@llurdiaxorb.govt> schrieb im Newsbeitrag
> news:Xns97E4A7F591824Klazmonllurdiaxorbgo@203.97.3 7.6...
>> "Juergen Loewner" <JLoewner@JLoewnerEDV.com> wrote in news:e6sb4j$js9$1
>> @news.citykom.de:
>>
>>> Hi folks,
>>> I need help:
>>> ===============================
>>> Environment:
>>> A Linux (Debian) PC with iptables firewall.
>>> On this firewall pc is openvpn installed in
>>> bridge mode.
>>> The connection seems OK.
>>> The client pc (XP) says "connected"!
>>>
>>> All internal/external(Internet) connections work
>>> without obvious problems (No OpenVPN at this time).
>>> So I assume the routes on the firewall PC OK.
>>>
>>> Firewall PC = openvpn PC
>>>
>>> Firewall PC has following interfaces/subnets:
>>> eth1) Internet: 83.82.81.1 (public / out: masquerading)
>>> eth2) Internal LAN (192.168.100.x): 192.168.100.254
>>> eth3) DMZ (83.82.81.x): 83.82.81.254
>>> eth4) WLAN (192.168.101.x) 192.168.101.254
>>>
>>> OpenVPN is setup as a bridge on eth2.
>>>
>>> Question: has the bridge to be bound to eth3 and eth4
>>> explicitly?
>>> If so: HOW? (I have no clue how the syntax looks for another
>>> bridge)
>>> Connection from the client will be to eth1. The internet i/f.
>>
>> See this:
>>
>> http://openvpn.net/bridge.html
>>
>>>
>>> Any objections on the setup idea?
>>>
>>> Any suggestions?
>>>
>>> Best
>>> Juergen
>>> ===============================
>>> Setup in bridge-start:
>>> br="br0"
>>> tap="tap0"
>>> eth="eth2"
>>> eth_ip="192.168.100.254"
>>> eth_netmask="255.255.255.0"
>>> eth_broadcast="192.168.100.255"
>>> ...
>>>
>>>
>>>
>>>
>>
>
>

Juergen Loewner wrote:
> Dear Klaszman,
> I used your ref:
>
>>http://openvpn.net/bridge.html
>
> to set the bridge up.
>
> Guess it is working.
> At least for 192.168.100.x
>
> No idea what with the other subnets.
> There is no hint how to handle the situation when
> bridging into severa subnets.

You do not bridge subnets - you're bridging Ethernet
(and/or pseudo-Ethernet) interfaces.

You have to handle the subnet routing between the
bridge device (not the interfaces which are components
of the bridge) and the other intefaces on the host.

It might be useful to read a tutorial on bridging,
e.g. BRIDGE-STP-HOWTO is in the Linux Documentation Project.
Another reference is <http://linux-net.osdl.org/index.php/Bridge>.

> Has anyone an idea how to check this when I am inside the
> net and configuring it?
>
> I think about a proxy or so.
> It is somewhat cumbersome when it is going to check the openvpn
> from the inside

Could you please describe the whole set-up with all
the involved computers and network connections, and
what are you attempting to gain with the VPN?

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno,
> Could you please describe the whole set-up with all
> the involved computers and network connections, and
> what are you attempting to gain with the VPN?

I guess you could read all essentials of the pc in my initial
msg. (cards with their nets and their ip)

What I want 2do:
From anywhere on earth, where I have internet access login
from my mobile pc and work as I would sit at home at my workstation:
Inside the home net.
Behind the firewall.
No problem accessing my local private lan.
No problem accessing my dmz zone. No restrictions as I am "inside" or
"home".
No problem accessing my printer.
etc.
as I would be at home.

Best
Juergen

Juergen Loewner wrote:
> Tauno,
>
>>Could you please describe the whole set-up with all
>>the involved computers and network connections, and
>>what are you attempting to gain with the VPN?
>
>
> I guess you could read all essentials of the pc in my initial
> msg. (cards with their nets and their ip)
>
> What I want 2do:
> From anywhere on earth, where I have internet access login
> from my mobile pc and work as I would sit at home at my workstation:
> Inside the home net.
> Behind the firewall.
> No problem accessing my local private lan.
> No problem accessing my dmz zone. No restrictions as I am "inside" or
> "home".
> No problem accessing my printer.
> etc.
> as I would be at home.

OK. This seems to be a garden-variety 'road warrior' setup.
Google for instructions. There are already plenty of setup
instructions.

Please be warned: The 'Internet' access at many locations
is limited to proxyed HTTP (TCP/80) and HTTPS (TCP/443)
connections only. Been bitten by it some times.

Do you need Windows disk shares without TCP/IP setup
on the Windows computers?

If the response to the question is 'no', use the routed
OpenVPN setup. If the response is 'yes', you need to
use a bridged setup, but it is less efficient than the
routed, due to so many unnecessarily tunneled extra frames.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno,
> If the response to the question is 'no', use the routed
> OpenVPN setup. If the response is 'yes', you need to
> use a bridged setup, but it is less efficient than the

I need the shares. So I guess I am right ot use the
bridge setup.

This is ready I just can't test it.
I am home. (And will be here for a few more
wks as I have a broken leg).

Could you confirm that the bridge bewtween
the one NIC and tap is all I need. Even to
reach the other subnets?
You should be able to read the config out from msg #1

Or do you have an idea how to chesk setup
as long as I am inside my (home-)net?

Best
Juergen

Juergen Loewner wrote:
> Tauno,
>
>>If the response to the question is 'no', use the routed
>>OpenVPN setup. If the response is 'yes', you need to
>>use a bridged setup, but it is less efficient than the
>
>
> I need the shares. So I guess I am right ot use the
> bridge setup.
>
> This is ready I just can't test it.
> I am home. (And will be here for a few more
> wks as I have a broken leg).
>
> Could you confirm that the bridge bewtween
> the one NIC and tap is all I need. Even to
> reach the other subnets?
> You should be able to read the config out from msg #1
>
> Or do you have an idea how to chesk setup
> as long as I am inside my (home-)net?

I'd configure the Windows boxes so that they would be
routable, using TCP/IP transport only (no direct SMB).
Please do not ask me for details, my Windows expertise
stops somewhere between NT 4.0 and Windows 2000.

If you want to use bridging, you have to include
to the bridge all the interfaces needed for Windows
share traffic. Please remember that the bridge
component interfaces must not have IP setup (address,
netmask) of their own, the IP settings belong to
the bridge pseudo-interface. This probably forces
changes in your network addressing setup.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote in news:NqBkg.284$226.7
@read3.inet.fi:

> Juergen Loewner wrote:
>> Tauno,
>>
>>>Could you please describe the whole set-up with all
>>>the involved computers and network connections, and
>>>what are you attempting to gain with the VPN?
>>
>>
>> I guess you could read all essentials of the pc in my initial
>> msg. (cards with their nets and their ip)
>>
>> What I want 2do:
>> From anywhere on earth, where I have internet access login
>> from my mobile pc and work as I would sit at home at my workstation:
>> Inside the home net.
>> Behind the firewall.
>> No problem accessing my local private lan.
>> No problem accessing my dmz zone. No restrictions as I am "inside" or
>> "home".
>> No problem accessing my printer.
>> etc.
>> as I would be at home.
>
> OK. This seems to be a garden-variety 'road warrior' setup.
> Google for instructions. There are already plenty of setup
> instructions.
>
> Please be warned: The 'Internet' access at many locations
> is limited to proxyed HTTP (TCP/80) and HTTPS (TCP/443)
> connections only. Been bitten by it some times.
>
> Do you need Windows disk shares without TCP/IP setup
> on the Windows computers?
>
> If the response to the question is 'no', use the routed
> OpenVPN setup. If the response is 'yes', you need to
> use a bridged setup, but it is less efficient than the
> routed, due to so many unnecessarily tunneled extra frames.

You can still handle Windows shares with a routed setup. The only issue is
with the Windows host name resolution and as I pointed out in another
thread there are ways to get around that.

Klazmon.



>