Hi,
On 03/04/17 08:57, saato...@keemail.me wrote:
Hello!
This is interesting, I've never encountered a VPN, where the server
does not have VPN IP address.
How does one set that up? How does that even work, in terms of
forwarding traffic through the tunnel?
Would someone have a link for me, about that topic?
an example is given in my OpenVPN Cookbook, although that example is for
a point-to-point connection. However, it could also be applied to a
client/server setup. The main idea is that the client only needs to know
which *interface* to send the packets out on, not to which router IP ;
so as long as the clients know that traffic for network X needs to go
out interface tunY then the packets should "flow". There are caveats
here, however: some OSes don't like this, especially if you want to
reroute *all* traffic over the VPN tunnel.
Apart from that, if I were running an OpenVPN server to which potential
rogue users can connect then I'd block all incoming traffic on the VPN
server - you'd be allowed to FORWARD stuff, nothing more. This is
similar to a well-protected LAN where you're not allowed to connect to
the LAN router/gateway: all that thing will do for you is forward (and
filter) traffic.
As a final note: if you're running OpenVPN in tap mode then it's not
even necessary that the VPN "router" IP is the same as that of the VPN
server itself; one could set up a VPN server and a separate router to
handle the VPN traffic. Then again, "tap" setups are quite rare these days.
HTH,
JJK
31. Mar 2017 18:20 by janj...@nikhef.nl <mailto:janj...@nikhef.nl>:
Hi,
On 30/03/17 10:06, saato...@keemail.me wrote:
Hello!
Yes, I could "unix ping" the tunnel's server IP (e.g. ping -c
1 -W 2 -I tun0 172.16.0.1), but I haven't found a reliable way
to automatically identify the server's IP address yet.
The environmental variable $route_network_1 appears to be
working for that only occasionally.
How could I implement "sending data and checking the
response"? I'd need to get that working in an automated manner.
in theory the server does not need to have a VPN IP address - or
the server could be configured to block all access to it; if I
were running a VPN setup where paying customers are connecting
this is exactly what I'd do - I wouldn't want a rogue customer to
attack my server.
Having said that, in 99.9% of the cases the server IP will always
be <subnet>.1 - which use cases are you trying to address in
which this is not the case?
HTH,
JJK
30. Mar 2017 09:00 by g...@greenie.muc.de
<mailto:g...@greenie.muc.de>:
Hi,
On Wed, Mar 29, 2017 at 03:27:55PM +0200,
saato...@keemail.me <mailto:saato...@keemail.me> wrote:
How can I confirm that the data channel is working
correctly after "Initialization Sequence Completed" on
the client?
"ping the server", like, with "unix ping"?
Send data over the data channel and see if something
useful comes back.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
