Thanks for the reply.
The bridging option slipped my mind because the current interface to
the IPCOP distro doesn't allow it from the config webpage... no big
deal... i can edit the configs myself, so i may end up using this
If I keep the routed option and ant to set up my static routes....
setting up the routes on those two routers is exactly what I thought.
Unfortunately it doesn't work, and I think it's because my ISP is using
private IPs for their equipment management. Even though I have real
public IPs, if I do a traceroute from my gateway to say yahoo.com, I
get their private management addresses and I think the routers are
getting confused somehow. The first is my gateway, and the next three
belong to my ISP.
Tracing route to yahoo.com [126.96.36.199]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 172.21.1.126
2 3 ms 4 ms 6 ms 172.16.7.126
3 5 ms 8 ms 7 ms 10.64.8.133
4 7 ms 5 ms 7 ms 10.64.0.21
5 29 ms 14 ms 12 ms 188.8.131.52
6 11 ms 11 ms 9 ms 184.108.40.206
7 28 ms 28 ms 33 ms 220.127.116.11
8 47 ms 43 ms 49 ms 18.104.22.168
9 48 ms 44 ms 41 ms 22.214.171.124
10 72 ms 80 ms 73 ms 126.96.36.199
11 73 ms 74 ms 82 ms 188.8.131.52
12 77 ms 74 ms 73 ms 184.108.40.206
13 73 ms 74 ms 74 ms 220.127.116.11
14 79 ms 87 ms 99 ms 18.104.22.168
15 76 ms 73 ms 76 ms 22.214.171.124
This should be solvable too...I'll keep at it. I've used other VPN
equipment and the most conceptually simple way I've seen things is that
the VPN device has an external IP and a real internal IP. When clients
join, the interface that handles the real internal IP is aliased to
also take on the IP of the client that is connected; ten clients = a
physical nic with ten aliases. I guess this really would be a question
for the openvpn guys, but it seems it would be a lot slicker way to do
> > 172.21.2.0/255.255.255.128 with 172.21.2.120 NETOPIA ROUTER -->
> > Internet Internet <-- NETOPIA ROUTER 172.21.1.126 subnet
> > 172.21.1.0/255.255.255.128
> > The OPENVPN box is 172.21.1.72 with its own external IP for my
> > external test users. My problem is that OPENVPN doesn't seem to give
> > enough control over settings. It would be really great if I could tell
> > it to use 172.21.1.73,4,5,6,7 as it's address pool for external clients
> > sort of like mask 255.255.255.248. However, the clients then literally
> > get visibility to that little subnet and nothing else.
> If you set this VPN subnet up as a routed subnet then you won't be
> able to route between it and the rest of your network (two separate
> 172.21.1.0/25 networks). If you configure OpenVPN to bridge instead of
> route this configuration will work just fine.
> > Alternately, if I use a completely different subnet like
> > 10.0.10.0/255.255.255.0 for OpenVPN they get visibility to 10.0.10.0 as
> > well as 172.21.1.0.
> It definitely sounds you've configured OpenVPN to route instead of
> bridge. Are you happy with the difference - and its implications?
> > However, I am at a loss of how to get my two netopia routers to then
> > route 10.0.10.0 traffic (the OpenVPN's virtual subnet) to 172.21.1.72
> > which would the the IPCOP's real physical IP address so that the remote
> > users from 10.0.10.X can get to 172.21.2.X.
> You would need to configure 172.21.2.120 with a static route for
> 10.0.10.0/24 to the other router, and you'd need to configure
> 172.21.1.126 with a static route for 10.0.10.0/24 to your OpenVPN server
> on 172.21.1.72.