Re: VPN question
On Tuesday 03 May 2005 00:22, Robert Guerra wrote:
> Can you share your configuration and how you did it? I've been
> wanting to configure openswan for some time - and would settle with
> openvpn.
I converted my old x509 CA I used for IPSec and my SSL certificates to the
format used by the easy RSA scripts. This mostly involved copying them around
to new locations and reconfiguring easy-rsa/vars and easy-rsa/openssl.cnf.
A little word about my setup: at the main office, my client has two class C
networks and most workstations in 10.0.0.0/8. The objective was to connect
branch offices to the central location so they can use parts of this address
space as needed as well as integrate road warriors into our net so they can
use source IP restricted services as if they were in the main office. We have
Windows and OS X road warriors.
The central VPN terminator is called (very creativly) "vpn", the server at the
branch "diode" which should serve 10.10.7.0/24 to its clients.
-----------------------------------------------------------------------
vpn:/etc/openvpn/diode.conf:
# act as tun server
mode server
tls-server
dev tun
# local networking setup
local vpn.example.com
proto udp
port 1195 # Use non-standard port to avoid conflict with vpn.conf
# remote networking setup
ifconfig 10.81.6.1 10.10.7.1
# capture traffic to diode
route 10.10.7.0 255.255.255.0
# contains the iroute to diode: iroute 10.10.7.0 255.255.255.0
client-config-dir ccd
# management and key config snipped
-----------------------------------------------------------------------
diode:/etc/openvpn/office.conf:
# act as client
tls-client
dev tun
# server
remote vpn.example.com 1195
proto udp
# routing setup
ifconfig 10.10.7.1 10.81.6.1
# route to vpn.example.com outside the tunnel
route remote_host 255.255.255.255 net_gateway
# route the rest of main office through the tunnel
route 10.0.0.0 255.0.0.0
route x.y.z.0 255.255.255.0
route a.b.c.0 255.255.255.0
# management and key config snipped
-----------------------------------------------------------------------
vpn:/etc/openvpn/vpn.conf
# act as tap server
dev tap0
mode server
tls-server
# local networking setup
local vpn.example.com
proto udp
port 1194
# remote setup
push "route-gateway 10.81.6.1"
push "route-delay 10 30"
push "redirect-gateway"
# management and key config snipped
-----------------------------------------------------------------------
tap0 is statically configured to 10.81.6.1, with a DHCPd listening to provide
IPs to the rowad warriors.
The Road warrior clients are configured with the respective GUIs which you can
find on openvpn.net. The only exception was the need to add a up script to
the OS X clients, to enable DHCP on the tap interface:
up "ifconfig tap0 up; ipconfig set tap0 DHCP; echo"
Regards, David
--
- hallo... wie gehts heute?
- *hust* gut *rotz* *keuch*
- gott sei dank kommunizieren wir über ein septisches medium ;)
-- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15
Reply to: