Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Aug 2004 00:25:29 +0200
From:      Geert Hendrickx <geert.hendrickx@ua.ac.be>
To:        freebsd-questions@freebsd.org
Cc:        jef@hendrickx.be
Subject:   configuration of ip adresses on vpn router
Message-ID:  <20040820222529.GA53077@lori.mine.nu>

next in thread | raw e-mail | index | archive | help
Hi, 

I have set up a VPN with OpenVPN (ports/security/openvpn).  It works
fine on the clients behind either router, but I'm still having a little
problem with it.  Setup is like this: 

    LAN
192.168.1.x
     |
     |
192.168.1.20
 VPN-router (FreeBSD)
  10.0.0.1
     |
     |
  10.0.0.2
 VPN-router (OpenBSD)
10.65.28.20
     |
     |
10.65.28.x
    LAN 

where the 10.0.0.x are virtual devices (/dev/tun0), they are tunneling
the traffic through hardware routers which are connecting both sites to
the Internet.  

Now when I make a connection from, say, 192.168.1.210 to 10.65.28.38,
packets are sent across the networks ok.  But when I make a connection
from 192.168.1.20 (the vpn router itself) to 10.65.28.38, the latter one
sees the packets coming from 10.0.0.1, and it does not know how to route
them back.  

I could solve this by adding extra routes (either on each client or on
the hardware routers which are the default route for each site), but
then there still is a problem if I want to restrict access to some
services, based on ip adress.  I would have to allow access from the
10.65.28.x network, the 192.168.1.x network (that's ok), but also from
the 10.0.0.x network (which is only virtual).  This may seem correct,
but I'm having problems with the fact that the clients get to see these
adresses.  They shouldn't.  When I make a connection from one of the
vpn-routers to any of the clients, I want the source adress to be
192.168.1.20, not 10.0.0.1 (or 10.65.28.20, not 10.0.0.2, respectively).  

Is that possible?  

GH



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040820222529.GA53077>