openvpn routing 192.168.1.9 to 192.168.1.0

[jej94105]

Here's the scenario - environment is all windows machines, a mix of xp and win7 remote clients with the openvpn server in the office running server 2008. I need to enable road toads to connect to our internal office (and their desktop machines inside our office lan) via RDP. To my knowledge there is no need for broadcasts so based on what I've read routing is the best option. The complication is the internal lan is 192.168.1.0 and many of the road toads connect remotely from Starbucks where the local lan is also 192.168.1.0. Most howtos I've read suggest changing our office lan to another private ip range but that is not an option for me.

The scenario looks like this:

RoadToad@Starbucks(192.168.1.100)->internet->officedslmodem(74.22.xxx.xx)->linksysrouter(192.168.1.1)

Question - can this be accomplished via OpenVPN and dev tun?

As a trial, I successfully set up a dev tap openvpn sever in the same environment and roadtoads could rdp fine - however, once connected they could not browse the internet or use im - it appeared as if ALL client traffic was going through the tap interface which is not what I hope would happen - I was hoping the internet traffic (basically anything other than the rdp stuff) would travel through the nic and not the tap interface. I tried the dev tap first because I'm not a super stud when it comes to routing (I guess this is obvious by now).

Any help will be greatly appreciated. If the bridge can be made to work (i.e. allowing im and browser sessions on the remote client while connected via rdp to internal machines) I am fine with that as well. The config files are standard using examples on the lan. Nothing special, since it's dev tap no push routes. Windows firewall off on the server.


Thanks in advance to any who will help an overworked DBA (yep, I'm a DBA doing networking) out!

[ecrist]

1) Change your office LAN. The norm is to use 10.0/16 as the address space, or some subnet thereof.

2) Use bridging. Nothing fancy to setup on your client side, but some minor 'extras' on the server side. Everyone can see everyone else if you add the 'client-to-client' option on the server config. Don't try to redirect the gateway, not needed here. If you have people connecting via satellite internet, they will have problems. FYI.

[jej94105]

Thank you for the response sir!

Unfortunately, as I stated in the last sentence of the first paragraph, changing the office lan is not an option. I do know enough to realize this would simplify things considerably and I also appreciate you emphasizing this fact but suggesting it, but it truly is not an option for me.

I'm going to remove the redirect I have in the server config and see if that helps.

Again, thank you for taking the time to respond, I appreciate it.

[Douglas]

Thank you for the response sir!

Unfortunately, as I stated in the last sentence of the first paragraph, changing the office lan is not an option. I do know enough to realize this would simplify things considerably and I also appreciate you emphasizing this fact but suggesting it, but it truly is not an option for me.

I'm going to remove the redirect I have in the server config and see if that helps.

Again, thank you for taking the time to respond, I appreciate it.

Did that fix it?