| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA512 |
| 3 |
|
| 4 |
Patrick Holthaus wrote: |
| 5 |
> Now my questions are: |
| 6 |
> Do I need bridging for making the DHCP server work in the VPN? |
| 7 |
> How should the configuration files look like? |
| 8 |
|
| 9 |
I don't think you can do it, because the openvpn client needs an IP provided by the OpenVPN server |
| 10 |
software to obtain the tunnel. If you want OpenVPN to provide a certain subnet range for your |
| 11 |
openvpn clients, then check out: |
| 12 |
|
| 13 |
- --server network netmask |
| 14 |
A helper directive designed to simplify the configuration of OpenVPN's server mode. This |
| 15 |
directive will set up an OpenVPN server which will allocate addresses to clients out of the given |
| 16 |
network/netmask. The server itself will take the ".1" address of the given network for use as the |
| 17 |
server-side endpoint of the local TUN/TAP interface. |
| 18 |
|
| 19 |
For example, --server 10.8.0.0 255.255.255.0 expands as follows: |
| 20 |
|
| 21 |
mode server |
| 22 |
tls-server |
| 23 |
push "topology [topology]" |
| 24 |
|
| 25 |
if dev tun AND (topology == net30 OR topology == p2p): |
| 26 |
ifconfig 10.8.0.1 10.8.0.2 |
| 27 |
ifconfig-pool 10.8.0.4 10.8.0.251 |
| 28 |
route 10.8.0.0 255.255.255.0 |
| 29 |
if client-to-client: |
| 30 |
push "route 10.8.0.0 255.255.255.0" |
| 31 |
else if topology == net30: |
| 32 |
push "route 10.8.0.1" |
| 33 |
|
| 34 |
if dev tap OR (dev tun AND topology == subnet): |
| 35 |
ifconfig 10.8.0.1 255.255.255.0 |
| 36 |
ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 |
| 37 |
push "route-gateway 10.8.0.1" |
| 38 |
|
| 39 |
|
| 40 |
Don't use --server if you are ethernet bridging. Use --server-bridge instead. |
| 41 |
- --server-bridge gateway netmask pool-start-IP pool-end-IP |
| 42 |
|
| 43 |
A helper directive similar to --server which is designed to simplify the configuration of |
| 44 |
OpenVPN's server mode in ethernet bridging configurations. |
| 45 |
|
| 46 |
To configure ethernet bridging, you must first use your OS's bridging capability to bridge the |
| 47 |
TAP interface with the ethernet NIC interface. For example, on Linux this is done with the brctl |
| 48 |
tool, and with Windows XP it is done in the Network Connections Panel by selecting the ethernet and |
| 49 |
TAP adapters and right-clicking on "Bridge Connections". |
| 50 |
|
| 51 |
Next you you must manually set the IP/netmask on the bridge interface. The gateway and netmask |
| 52 |
parameters to --server-bridge can be set to either the IP/netmask of the bridge interface, or the |
| 53 |
IP/netmask of the default gateway/router on the bridged subnet. |
| 54 |
|
| 55 |
Finally, set aside a IP range in the bridged subnet, denoted by pool-start-IP and pool-end-IP, |
| 56 |
for OpenVPN to allocate to connecting clients. |
| 57 |
|
| 58 |
For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: |
| 59 |
|
| 60 |
mode server |
| 61 |
tls-server |
| 62 |
|
| 63 |
ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 |
| 64 |
push "route-gateway 10.8.0.4" |
| 65 |
|
| 66 |
|
| 67 |
[taken from: http://openvpn.net/man.html no Named Anchors there...] |
| 68 |
|
| 69 |
- -- |
| 70 |
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica |
| 71 |
Enigform for Firefox: A secure browsing experience: http://enigform.mozdev.org |
| 72 |
Mail Hosting Seguro y Consultoria - http://www.buanzo.com.ar/pro/ |
| 73 |
-----BEGIN PGP SIGNATURE----- |
| 74 |
Version: GnuPG v1.4.6 (GNU/Linux) |
| 75 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 76 |
|
| 77 |
iD8DBQFF+9NiAlpOsGhXcE0RCrNbAJ924t72yJMexav/3YESNXHziZm4OACeJy6s |
| 78 |
tLlNylW4KHjPt4ngjest/jE= |
| 79 |
=gIhv |
| 80 |
-----END PGP SIGNATURE----- |
| 81 |
-- |
| 82 |
gentoo-user@g.o mailing list |
Archives