IPCOP OPENVPN side by side with router VPN

IPCOP OPENVPN side by side with router VPN

Post by SupportA » Wed, 13 Dec 2006 07:49:38



I have the following network problem:

172.21.2.0/255.255.255.128  with 172.21.2.120 NETOPIA ROUTER -->
Internet Internet <-- NETOPIA ROUTER 172.21.1.126 subnet
172.21.1.0/255.255.255.128

Quote:>From the 172.21.2.0 subnet the netopia handles ipsec tunnels to

multiple locations, not just the 172.21.1.0. Everything works great.

Recently I have been experimenting with OPENVPN on the IPCOP distro as
a way to let certain people work from home.

The OPENVPN box is 172.21.1.72 with it's own external IP for my
external test users. My problem is that OPENVPN doesn't seem to give
enough control over settings. It would be really great if I could tell
it to use 172.21.1.73,4,5,6,7 as it's address pool for external clients
sort of like mask 255.255.255.248. However, the clients then literally
get visibility to that little subnet and nothing else.

Alternately, if I use a completely different subnet like
10.0.10.0/255.255.255.0 for OpenVPN they get visibility to 10.0.10.0 as
well as 172.21.1.0.

However, I am at a loss of how to get my two netopia routers to then
route 10.0.10.0 traffic (the OpenVPN's virtual subnet) to 172.21.1.72
which would the the IPCOP's real physical IP address so that the remote
users from 10.0.10.X can get to 172.21.2.X.

HELP!

 
 
 

IPCOP OPENVPN side by side with router VPN

Post by Chris Davie » Wed, 13 Dec 2006 19:02:21



> 172.21.2.0/255.255.255.128  with 172.21.2.120 NETOPIA ROUTER -->
> Internet Internet <-- NETOPIA ROUTER 172.21.1.126 subnet
> 172.21.1.0/255.255.255.128
> The OPENVPN box is 172.21.1.72 with its own external IP for my
> external test users. My problem is that OPENVPN doesn't seem to give
> enough control over settings. It would be really great if I could tell
> it to use 172.21.1.73,4,5,6,7 as it's address pool for external clients
> sort of like mask 255.255.255.248. However, the clients then literally
> get visibility to that little subnet and nothing else.

If you set this VPN subnet up as a routed subnet then you won't be
able to route between it and the rest of your network (two separate
172.21.1.0/25 networks). If you configure OpenVPN to bridge instead of
route this configuration will work just fine.

Quote:> Alternately, if I use a completely different subnet like
> 10.0.10.0/255.255.255.0 for OpenVPN they get visibility to 10.0.10.0 as
> well as 172.21.1.0.

It definitely sounds you've configured OpenVPN to route instead of
bridge. Are you happy with the difference - and its implications?

Quote:> However, I am at a loss of how to get my two netopia routers to then
> route 10.0.10.0 traffic (the OpenVPN's virtual subnet) to 172.21.1.72
> which would the the IPCOP's real physical IP address so that the remote
> users from 10.0.10.X can get to 172.21.2.X.

You would need to configure 172.21.2.120 with a static route for
10.0.10.0/24 to the other router, and you'd need to configure
172.21.1.126 with a static route for 10.0.10.0/24 to your OpenVPN server
on 172.21.1.72.

Chris

 
 
 

IPCOP OPENVPN side by side with router VPN

Post by SupportA » Wed, 13 Dec 2006 23:54:48


Thanks for the reply.

The bridging option slipped my mind because the current interface to
the IPCOP distro doesn't allow it from the config webpage... no big
deal... i can edit the configs myself, so i may end up using this
option.

If I keep the routed option and ant to set up my static routes....
setting up the routes on those two routers is exactly what I thought.
Unfortunately it doesn't work, and I think it's because my ISP is using
private IPs for their equipment management. Even though I have real
public IPs, if I do a traceroute from my gateway to say yahoo.com, I
get their private management addresses and I think the routers are
getting confused somehow. The first is my gateway, and the next three
belong to my ISP.

Tracing route to yahoo.com [66.94.234.13]
over a maximum of 30 hops:

  1   <10 ms   <10 ms   <10 ms  172.21.1.126
  2     3 ms     4 ms     6 ms  172.16.7.126
  3     5 ms     8 ms     7 ms  10.64.8.133
  4     7 ms     5 ms     7 ms  10.64.0.21
  5    29 ms    14 ms    12 ms  64.141.118.197
  6    11 ms    11 ms     9 ms  66.163.71.49
  7    28 ms    28 ms    33 ms  66.163.76.86
  8    47 ms    43 ms    49 ms  66.163.76.174
  9    48 ms    44 ms    41 ms  66.163.65.1
 10    72 ms    80 ms    73 ms  66.163.76.69
 11    73 ms    74 ms    82 ms  66.163.67.101
 12    77 ms    74 ms    73 ms  206.223.116.150
 13    73 ms    74 ms    74 ms  216.115.106.209
 14    79 ms    87 ms    99 ms  66.218.82.223
 15    76 ms    73 ms    76 ms  66.94.234.13

Trace complete.

This should be solvable too...I'll keep at it. I've used other VPN
equipment and the most conceptually simple way I've seen things is that
the VPN device has an external IP and a real internal IP. When clients
join, the interface that handles the real internal IP is aliased to
also take on the IP of the client that is connected; ten clients = a
physical nic with ten aliases. I guess this really would be a question
for the openvpn guys, but it seems it would be a lot slicker way to do
things.



> > 172.21.2.0/255.255.255.128  with 172.21.2.120 NETOPIA ROUTER -->
> > Internet Internet <-- NETOPIA ROUTER 172.21.1.126 subnet
> > 172.21.1.0/255.255.255.128

> > The OPENVPN box is 172.21.1.72 with its own external IP for my
> > external test users. My problem is that OPENVPN doesn't seem to give
> > enough control over settings. It would be really great if I could tell
> > it to use 172.21.1.73,4,5,6,7 as it's address pool for external clients
> > sort of like mask 255.255.255.248. However, the clients then literally
> > get visibility to that little subnet and nothing else.

> If you set this VPN subnet up as a routed subnet then you won't be
> able to route between it and the rest of your network (two separate
> 172.21.1.0/25 networks). If you configure OpenVPN to bridge instead of
> route this configuration will work just fine.

> > Alternately, if I use a completely different subnet like
> > 10.0.10.0/255.255.255.0 for OpenVPN they get visibility to 10.0.10.0 as
> > well as 172.21.1.0.

> It definitely sounds you've configured OpenVPN to route instead of
> bridge. Are you happy with the difference - and its implications?

> > However, I am at a loss of how to get my two netopia routers to then
> > route 10.0.10.0 traffic (the OpenVPN's virtual subnet) to 172.21.1.72
> > which would the the IPCOP's real physical IP address so that the remote
> > users from 10.0.10.X can get to 172.21.2.X.

> You would need to configure 172.21.2.120 with a static route for
> 10.0.10.0/24 to the other router, and you'd need to configure
> 172.21.1.126 with a static route for 10.0.10.0/24 to your OpenVPN server
> on 172.21.1.72.

> Chris

 
 
 

IPCOP OPENVPN side by side with router VPN

Post by Chris Davie » Thu, 14 Dec 2006 20:03:52



> Thanks for the reply.

[Please don't top-post. read to hard so things makes It.]

Quote:> The bridging option slipped my mind because the current interface to
> the IPCOP distro doesn't allow it from the config webpage... no big
> deal... i can edit the configs myself, so i may end up using this
> option.
> If I keep the routed option and ant to set up my static routes....
> setting up the routes on those two routers is exactly what I thought.
> Unfortunately it doesn't work, and I think it's because my ISP is using
> private IPs for their equipment management.

Firstly, your static routes should override anything the routers get via
their default route. You might want to double check the settings on the
Internet connected router.

Secondly, if your ISP is using 10.* as part of its management network,
try using a different subset for your own OpenVPN routing. You're using
172.21.1.0/25 and 172.21.2.0/25 for your real networks, so maybe you
could use 172.21.3.0/30.

(Incidentally, you might want to reconsider the 25 bit subnets. It's /so/
much easier conceptually when you use a straight three-octet 24 bit mask.)

Regards,
Chris

 
 
 

1. Monitor side-to-side shimmy

Hello,
RH 7.3 installed. Straightforward installation. Monitor is ViewSonic P810
21". This monitor serves via a KVM switch a W2K server and a Linux machine.
I don't have the  side-to-side movement when interacting with the W2K
system, so it isn't the monitor.

I chose the 1024x768 resolution during installation of RH7.3.

Can someone say/speculate why I might be getting this side-to-side movement
(looks somewhat like an intermittent twitch)?

Regards,
craig

2. Newbie needs help with PPP

3. help! join file side by side

4. Debian setup to Jensen - network adapter not found

5. single-sided or double-sided SIMM?

6. HELP with Samba (smbd 1.9.18p4)

7. Side-to-side monitor movement

8. libwmf on hp-ux

9. server-side map 2 client-side map utility?

10. Side by side...

11. MklinuxDR2 & RhapsodyDR2 running side by side?

12. How to print two pix side by side

13. X window displays two screens side by side!