Hi,
I am in need of help with OpenVPN here. This is the situation:
I have the VPN server running successfully on 192.168.1.1 and the
clients are connected to it (192.168.1.2 and 192.168.1.3).
Computer 1
-----------------
eth0 - 192.168.1.1/24 (This is the VPN server)
tap0 - 10.222.222.1
Computer 2
-----------------
eth0 - 192.168.1.2/24
eth1 - 10.1.2.1/24 (internal network is 10.1.2.0/24,
and this is the gateway)
tap0 - 10.222.222.2
Computer 3
-----------------
eth0 - 192.168.1.3/24
eth1 - 10.1.3.1/24 (internal network is 10.1.3.0/24,
and this is the gateway)
tap0 - 10.222.222.3
I have enabled forwarding from tap0 to eth1 and vice-versa using
iptables on the two gateways and added this command in the VPN server
configuration file:
push "route 10.1.0.0 255.255.0.0"
This adds a routing entry in each client when they are connected:
route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.222.222.1
On the VPN server, i have added the following routes:
1) route add -net 10.1.2.0 netmask 255.255.255.0 gw 10.1.2.1
2) route add -net 10.1.3.0 netmask 255.255.255.0 gw 10.1.3.1
By doing so, i am successfully able to ping from 10.1.2.x to 10.1.3.x.
My problem is that all the packets go to the VPN server and then it is
forwarded to the gateways. I feel this will result in too much load on
the VPN server as it keeps running and in burst traffic situations
(and might crash). Am i wrong in this assumption?
Is there a better way to do the routing, that is can I push the
routing entries 1) and 2) automatically from the VPN server onto the
clients whenever they connect so that traffic does not have to come
through the VPN server, it can go directly to the gateway?
If so, what is the command I have to specify in the VPN configuration file?
Also, I need to log traffic and detect burst traffic. I know this is
possible using iptables, and have tried it out. But, is there a way
where I can specify in the VPN server configuration file to
automatically push commands onto the client to prevent burst traffic
(DOS attacks typically)?
I must prevent computers from one subnet from DOSing the VPN server,
or the other subnets, or any computer in the VPN. How do I do this?
What is the difference between "dev tun" and "dev tap" in the VPN
configuration files? I know it specifies the tunneling device, but why
two separate devices? In what situations do I use each device?
I have also noticed this, in my VPN server configuration file, I have the line:
server 10.222.222.0 255.255.255.0
If I specify "dev tun" in both server and clients, the server starts
giving out ip's to clients from 10.222.222.5, but if I specify "dev
tap" in both server and clients, the server starts giving out ip's to
clients from 10.222.222.2. Why is it so?
What if I enable forwarding using iptables from eth0 to eth1 in the
gateways? Will routing from 10.1.2.x to 10.1.3.x work even then? If
not, why?
I know there are too many questions to be answered :), but it would be
really helpful if I could get some answers.
--
Cheers,
Hrishikesh Murali
_______________________________________________
To unsubscribe, email [email protected] with
"unsubscribe <password> <address>"
in the subject or body of the message.
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
