Discussion:
[Openvpn-users] Windows tun/tap share
moamahi
2006-07-25 15:51:15 UTC
Permalink
Hi everybody,
I've tried to share the openvpn connection (tun/tap) on windows as I
do with a normal internet dial-up or dsl connection. I've found that if
I set as default gateway of the other clients in my net the "openvpn pc"
I can use the vpn from them.
My question is: is it possible to forbid that? In other word is it
possible not to allow the share vpn connection (tun/tap)

Thank you in advance

Paolo Mirandola
Charles Duffy
2006-07-25 18:21:05 UTC
Permalink
Post by moamahi
Hi everybody,
I've tried to share the openvpn connection (tun/tap) on windows as I
do with a normal internet dial-up or dsl connection. I've found that if
I set as default gateway of the other clients in my net the "openvpn pc"
I can use the vpn from them.
My question is: is it possible to forbid that? In other word is it
possible not to allow the share vpn connection (tun/tap)
It's possible, sure -- but you might need to use something more powerful
than the standard Windows firewall. If you can find something which will
let you block traffic from traversing between the two adapters, I expect
that'll do the trick.

http://wipfw.sourceforge.net/ looks both powerful and Free, if it and
ICS don't interfere. (It looks to not yet be able to modify packets
in-flight, which would prevent its own masquerading support from being
used).
siegfried
2006-07-26 23:30:31 UTC
Permalink
I have openvpn working on my linksys OpenWRT router in bridging mode and it
is working great. However, I just discovered that the directions for
installing openvpn on my NSLU2 NAS controller only describe using TUN
devices for point to point. Can I configure the openvpn on my router to do
both bridging with TAP and point-to-point with TUN simultaneously?

Thanks,
Siegfried
Charles Duffy
2006-07-27 12:21:59 UTC
Permalink
Post by siegfried
I have openvpn working on my linksys OpenWRT router in bridging mode and it
is working great. However, I just discovered that the directions for
installing openvpn on my NSLU2 NAS controller only describe using TUN
devices for point to point. Can I configure the openvpn on my router to do
both bridging with TAP and point-to-point with TUN simultaneously?
You can certainly run two instances of OpenVPN on the same server, one
doing routing and the other doing bridging. Using the standard init
scripts, just creating two .conf files in /etc/init.d will do this
out-of-the-box. (I don't know how OpenWRT's init mechanism varies, and
so can't comment on it specifically).


BTW, please don't start new threads by replying to unrelated messages.
Even if you change the subject line, your mailer puts a "References" and
"In-Reply-To" headers in the message, causing folks using threaded
readers to show it as a response to a message which is, in terms of
content, unrelated.
siegfried
2006-07-27 13:27:42 UTC
Permalink
Thanks for that info.

Why would not I have to do something special to keep the two instances
of openvpn from fighting over the same port? Would they not be both
trying to use port 1194?
-----Original Message-----
Post by siegfried
I have openvpn working on my linksys OpenWRT router in bridging mode and
it is working great. However, I just discovered that the directions for
installing openvpn on my NSLU2 NAS controller only describe using TUN
devices for point to point. Can I configure the openvpn on my router to
do both bridging with TAP and point-to-point with TUN simultaneously?
You can certainly run two instances of OpenVPN on the same server, one
doing routing and the other doing bridging. Using the standard init
scripts, just creating two .conf files in /etc/init.d will do this
out-of-the-box. (I don't know how OpenWRT's init mechanism varies, and
so can't comment on it specifically).
Les Mikesell
2006-07-27 14:07:26 UTC
Permalink
Post by siegfried
Thanks for that info.
Why would not I have to do something special to keep the two instances
of openvpn from fighting over the same port? Would they not be both
trying to use port 1194?
The 'something special' is to use a separate config file where you
specify the port to use along with the other options you want for
this connection. You can start any number of instances with
the --config filename option, or you can put all of the options
on the command line.
--
Les Mikesell
***@gmail.com
Charles Duffy
2006-07-27 15:21:27 UTC
Permalink
Post by siegfried
Thanks for that info.
Why would not I have to do something special to keep the two instances
of openvpn from fighting over the same port? Would they not be both
trying to use port 1194?
You'd need to specify a different port for each, yes. See the "--port"
directive.

(And it's /etc/openvpn, not /etc/init.d, where the .conf files are
specified; my apologies for any confusion the brain/finger disconnect
may have caused).
siegfried
2006-08-04 05:00:05 UTC
Permalink
-----Original Message-----
[mailto:openvpn-users-***@lists.sourceforge.net] On Behalf Of Charles
Duffy
Sent: Thursday, July 27, 2006 9:21 AM
Subject: Re: [Openvpn-users] TUN and TAP on same server?
Post by siegfried
Thanks for that info.
Why would not I have to do something special to keep the two instances
(one in bridging mode, one in route mode)
of openvpn from fighting over the same port? Would they not be both
trying to use port 1194?
You'd need to specify a different port for each, yes. See the "--port"
directive.
Can I not just say "port 1195" in my routing mode configuration file?

When I fire up this additional instance of openvpn on my linksys
openwrt router and start the corresponding routing mode client on my
notebook at a wireless cafe (where the router is at home) it looks
good. On the notebook I see both tun and tap devices with good proper
looking ip addresses. Specifically, I see a tun0 for 10.169.6.6.

I then abort the bridging instance of openvpn client on my notebook and (of
course) the tap device disappears from the ifconfig display.

I can ping myself (10.169.6.6) and the router (10.169.6.1) but I
cannot ping any of the other lan on my lan at home. Why not? My
desktop machine is at 10.169.1.8 and cannot be pinged in routing mode. Why
not?

Thanks,
Siegfried
Charles Duffy
2006-08-04 13:16:07 UTC
Permalink
Post by siegfried
Can I not just say "port 1195" in my routing mode configuration file?
Yes. --port on the command line and "port" in the configuration file are
the exact same thing.
Post by siegfried
When I fire up this additional instance of openvpn on my linksys
openwrt router and start the corresponding routing mode client on my
notebook at a wireless cafe (where the router is at home) it looks
good. On the notebook I see both tun and tap devices with good proper
looking ip addresses. Specifically, I see a tun0 for 10.169.6.6.
I then abort the bridging instance of openvpn client on my notebook and (of
course) the tap device disappears from the ifconfig display.
I can ping myself (10.169.6.6) and the router (10.169.6.1) but I
cannot ping any of the other lan on my lan at home. Why not? My
desktop machine is at 10.169.1.8 and cannot be pinged in routing mode. Why
not?
In routing mode, does your desktop machine have a reverse route telling
it to communicate with addresses within the VPN's range via the VPN server?

In either mode -- are you sure the other systems on your network respond
to ICMP? The Windows firewall blocks incoming ping packets by default
(grr!), so this could be distorting what you see. If that's not the
case, I'd advise use of Ethereal (err, Wireshark) to figure out what's
going on; in bridged mode, it makes sense to be able to contact anything
at all on the remote end other than the VPN server (which would indicate
that the bridge isn't working) -- but being able to contact the router
but nothing else is unusual.
siegfried
2006-08-04 13:13:57 UTC
Permalink
Post by siegfried
Post by Charles Duffy
Post by siegfried
Thanks for that info.
Why would not I have to do something special to keep the two instances
(one in bridging mode, one in route mode)
of openvpn from fighting over the same port? Would they not be both
trying to use port 1194?
You'd need to specify a different port for each, yes. See the "--port"
directive.
Can I not just say "port 1195" in my routing mode configuration file?
When I fire up this additional instance of openvpn on my linksys
openwrt router and start the corresponding routing mode client on my
notebook at a wireless cafe (where the router is at home) it looks
good. On the notebook I see both tun and tap devices with good proper
looking ip addresses. Specifically, I see a tun0 for 10.169.6.6.
I then abort the bridging instance of openvpn client on my notebook and (of
course) the tap device disappears from the ifconfig display.
I can ping myself (10.169.6.6) and the router (10.169.6.1) but I
cannot ping any of the other lan on my lan at home. Why not? My
desktop machine is at 10.169.1.8 and cannot be pinged in routing mode. Why
not?
I forgot to mention that I added the following line:

push "route 10.169.1.0 255.255.255.0"

should this not allow me to ping 10.169.1.8?

I also have

Server 10.169.6.0 255.255.255.0

And I commented out the "server-bridge" command.
Post by siegfried
Thanks,
Siegfried
Charles Duffy
2006-08-04 13:50:31 UTC
Permalink
Post by siegfried
push "route 10.169.1.0 255.255.255.0"
should this not allow me to ping 10.169.1.8?
It will ensure that packets going to 192.168.1.8 go through the VPN --
but that's not all that's needed.

The system at 192.168.1.8, even if it receives the packets, needs to
have a route telling it to send them back by way of the VPN server --
and the VPN server must agree to forward packets in both directions
(which firewall rules may disallow).

See http://openvpn.net/faq.html#cant-ping-subnet

Continue reading on narkive:
Loading...