On Mon, Oct 12, 2009 at 7:52 PM, Hrishikesh Murali <[email protected]> wrote: > Hi, > I am in need of help with OpenVPN here. This is the situation: > > I have the VPN server running successfully on 192.168.1.1 and the > clients are connected to it (192.168.1.2 and 192.168.1.3). > > Computer 1 > ----------------- > eth0 - 192.168.1.1/24 (This is the VPN server) > tap0 - 10.222.222.1 > > Computer 2 > ----------------- > eth0 - 192.168.1.2/24 > eth1 - 10.1.2.1/24 (internal network is 10.1.2.0/24, > and this is the gateway) > tap0 - 10.222.222.2 > > Computer 3 > ----------------- > eth0 - 192.168.1.3/24 > eth1 - 10.1.3.1/24 (internal network is 10.1.3.0/24, > and this is the gateway) > tap0 - 10.222.222.3 > > > I have enabled forwarding from tap0 to eth1 and vice-versa using > iptables on the two gateways and added this command in the VPN server > configuration file: > push "route 10.1.0.0 255.255.0.0" > > This adds a routing entry in each client when they are connected: > route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.222.222.1 > > On the VPN server, i have added the following routes: > 1) route add -net 10.1.2.0 netmask 255.255.255.0 gw 10.1.2.1 > 2) route add -net 10.1.3.0 netmask 255.255.255.0 gw 10.1.3.1 > > By doing so, i am successfully able to ping from 10.1.2.x to 10.1.3.x. > > My problem is that all the packets go to the VPN server and then it is > forwarded to the gateways. I feel this will result in too much load on > the VPN server as it keeps running and in burst traffic situations > (and might crash). Am i wrong in this assumption? > > Is there a better way to do the routing, that is can I push the > routing entries 1) and 2) automatically from the VPN server onto the > clients whenever they connect so that traffic does not have to come > through the VPN server, it can go directly to the gateway?
In VPN parlance, what you are asking for is a full mesh VPN topology where any VPN site/network can communicate to any other site/network in the mesh directly. Most commercial firewalls Cisco/Check Point/Juniper support this topology. OpenVPN however only does star -- central VPN server with all clients communicating to the server only. There is no direct communication between clients. If you want to do this, run a VPN server and client at each site and establish multiple tunnels. For just 3 sites, it's pretty easy, but scaling it to large number of sites is difficult with OpenVPN -- management and dynamic routing will become increasingly difficult unless you script/automate. > > If so, what is the command I have to specify in the VPN configuration file? > > Also, I need to log traffic and detect burst traffic. I know this is > possible using iptables, and have tried it out. But, is there a way > where I can specify in the VPN server configuration file to > automatically push commands onto the client to prevent burst traffic > (DOS attacks typically)? It takes a lot of traffic to overwhelm any OpenVPN server, my WRT54GL wireless modem at home runs tomato + openvpn firmware and handles 1Mb/s DSL with ease. I typically run 2-3 tunnels, and the hardware is a 233MHz ARM with 16MB RAM. Any typical desktop today will handle most OpenVPN workloads easily. > I must prevent computers from one subnet from DOSing the VPN server, > or the other subnets, or any computer in the VPN. How do I do this? If you have a commercial firewall then you can just use it to filter VPN traffic before it enters your network. You can set the DOS limiters on the firewall. Otherwise, iptables is your friend. > What is the difference between "dev tun" and "dev tap" in the VPN > configuration files? I know it specifies the tunneling device, but why > two separate devices? In what situations do I use each device? TUN is a Layer 2 device and which can carry any protocol over ethernet frames. TAP is a Layer 3 device used for IP protocols only. Use TUN if you want to Ethernet bridging with OpenVPN. I use TUN on my home VPN server to connect it to from remote networks. Use TAP if you don't want Ethernet bridging and want to routed networks instead. OpenVPN Howto and Wikipedia have good documentation on this point. > I have also noticed this, in my VPN server configuration file, I have the > line: > server 10.222.222.0 255.255.255.0 > If I specify "dev tun" in both server and clients, the server starts > giving out ip's to clients from 10.222.222.5, but if I specify "dev > tap" in both server and clients, the server starts giving out ip's to > clients from 10.222.222.2. Why is it so? Bridging vs routing topology. This question has been asked several times on OpenVPN mailing lists. No point repeating the answers here. > What if I enable forwarding using iptables from eth0 to eth1 in the > gateways? Will routing from 10.1.2.x to 10.1.3.x work even then? If > not, why? Will not work unless you implement a meshed VPN, or at least simulate one with multiple OpenVPN tunnels. - Raja _______________________________________________ To unsubscribe, email [email protected] with "unsubscribe <password> <address>" in the subject or body of the message. http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
