[kwlug-help] Openvpn assistance request.

Chris Irwin chris at chrisirwin.ca
Sun Aug 21 00:00:58 EDT 2011


On Sat, Aug 20, 2011 at 10:01:13PM -0400, Paul Nijjar wrote:
> Could you help me understand the bridging magic? Say I am using a
> laptop and want to connect to an arbitrary site. I connect to the
> OpenVPN network, type the address into the URL, and then the traffic
> moves as follows?
> 
> - The packet goes from my laptop to my Tomato router,
>   which it finds via dynamic DNS
> - That router uses port forwarding to send the packet to my Ubuntu
>   server. It arrives via the TAP interface?
> - The Ubuntu server sends the packet back out through eth0 to the
>   Tomato router?
> - Then the Tomato router gets the response and forwards it to the
>   Ubuntu server again, which relays it through the tunnel to my
>   laptop?
> 
> Do I have that right?

Essentially, yes. I'm running OpenWRT on my router. I might look in
to having OpenVPN run on it directly instead of my server. The config 
is not ubuntu-specific, and openwrt already has a bridged interface 
(WLAN and LAN interfaces are actually separate, but bridged to appear as
one network).

In the OpenVPN setup I am using, you have the following Logical and
Physical paths to the internet. (Where => is encrypted tunnel, and -> 
is not)

Logical:

    Laptop -> Server -> Router -> Internet

Physical:

    Laptop => Internet => Router => Server -> Router -> Internet

> > I have attached my config.
> 
> Another stupid question: does eth0 need to be in promiscuous mode for
> the bridge to work?

I'd imagine so. It needs to receive packets destined for hosts other
than itself (any and all machines on the VPN). The bridge might do that
automatically.

I'm on a switched network anyway...

> Thanks for sharing your config and your solution, by the way. This
> could be very very useful to me. I always thought you effectively 
> needed to run OpenVPN on your firewall.

I wasn't sure how well it would traverse into NAT either, but it is 
pretty simple: one udp port.

-- 
Chris Irwin
e:  chris at chrisirwin.ca
w: http://chrisirwin.ca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://kwlug.org/pipermail/kwlug-help_kwlug.org/attachments/20110821/60dc187b/attachment.bin>


More information about the kwlug-help mailing list