Configuring a tunnel

[Xi0N]

Hi!!!
I have been trying to configure a VPN tunnel for the last days....

Here is the setup i have:

Remote network (Where the vpn server is):
Main subnet: 192.168.1.x, the DNS is @ 192.168.1.3, the gateway @ 192.168.1.155
VPN Subnet: 10.8.0.x


Local network (my home, from where i want to connect)
Main subnet: 192.168.1.x, the DNS is @ 192.168.1.1, the gateway @ 192.168.1.1



Here is the thing: I have chosen tunneling over bridging because it seems easier to set-up, and i successfully made it work.. now the problem:

If on the server side, i have this in my config file:

Code: Select all

push "dhcp-option DNS 192.168.1.3"
push "dhcp-option WINS 192.168.1.3"
push "redirect-gateway def1"

I successfully browse the internet using the tunnel (whatismyip reports i have the ip of my company, so, its ok)
BUT, i cannot access the machines on the local network of my job (192.168.1.x)


However, if i do this:

Code: Select all

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.3"
push "dhcp-option WINS 192.168.1.3"
push "redirect-gateway def1"

I see the machines on the remote network!.... but i cannot access the internet via the remote vpn.......
I wish i could have both things........ is it possible?

I followed the instructions on this page to set the server up: https://wiki.archlinux.org/index.php/OpenVPN
Configuring iptables to forward the traffic...

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

, as the wiki i referenced before points out....

So... any idea? or what i am asking for is impossible?

[Bebop]

Remote network (Where the vpn server is):
Main subnet: 192.168.1.x, the DNS is @ 192.168.1.3, the gateway @ 192.168.1.155
VPN Subnet: 10.8.0.x
Local network (my home, from where i want to connect)
Main subnet: 192.168.1.x, the DNS is @ 192.168.1.1, the gateway @ 192.168.1.1

I would suggest a starting point as being to change your home subnet to something other than 192.168.1.x, so there is no potential for confilct with work.

[Xi0N]

Ok, after i do so,... what do you suggest?
What im trying is viable via tunneling?

Thanks for your help

[Mimiko]

Hello.

I think you are not using tunneling mode - there no such thing in OpenVPN. You use routing method insteed of bridging method.

Yes, you have LAN address conflict. After change use:

Code: Select all

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.3"
push "dhcp-option WINS 192.168.1.3"
push "redirect-gateway def1"

to redirect all trafic thru the tunnel to server.

[Xi0N]

So, the problem is just conflict between my local and my remote network?

[Mimiko]

Of course - this is the problem.

For example, you want to access a computer wit IP 192.168.1.13. There are two computers with this ip, on server's side and on your LAN. Your computer does not know which of those to computers do you want to access.

If computers' IP on your LAN and remote LAN does not interfere (there are not to computers with the same IP), you can make per IP routing. But this is a lot to do and you will have problems in future.

Another thing to solve this problem is to use IPv6, because the LANs mask are very improbably to be identical, an IPs for computers are based on MAC address, which are somehow unique. But IPv6 are very complex to understand for now.

[Xi0N]

Ok, i will make the changes on my subnet in some time and see if it works.....
I assume tunneling is ok for what i want to do...

Thanks!!!!

[Xi0N]

This works like a charm!!! I also changed from tcp to udp..... seems really faster now....

A couple of things:

One: I am unable to resolve any name of the remote network.... why?
Two: If i connect to a network where i cannot manage the subnet and change it to other than 192.168.1.x (like i did @ my home to make all work) i suppose that i have nothing to do, and i will have conflict and will not be able to bypass them, no? Another solution i figured is to change the subnet of my company to another different than 192.168.1.x... but that will be a painful and dangerous procedure that i cannot do in a day.....

Thanks for your help, people: You have been really useful, lets see if i can resolve the names in the remote network and im done!!!

[Mimiko]

I'm glad it helped.

One: Are you sure that 192.168.1.3 is a real WINS server? If from client you can not resolve computers name from server's LAN - it's a WINS problem. Althought you can build a bridging VPN, which will be like both LAN's are the same phisical LAN, and computer name resolving are done traditionally via broadcasting. But bridging will increase network traffic thru tunnel.

Two. yes, if you will add a second client with it's LAN pool of 192.168.1.0, it will interfere. To be safe, you have to change server's and client's LAN pool to something not some common IP pool. Or, you can make a bridging VPN, where all LAN's has to be at same IP pool, like 192.168.1.0, but you will have to be sure that none computers from different party of VPN will have conflicting IP.

[Xi0N]

Well, i have more than one WINS server... can i push as many WINS servers as i want? One line per server?

[Mimiko]

Yes, you can push as many wins as you want in a resonable number. Also, from some computer on client's LAN make a ping to 192.168.1.3 to see that the computer is accesible and use microsoft's utility nblookup to see that wins responses.

[Xi0N]

Nope, no luck... anyway... i will consult in the forum of the distro i use because i remember having trouble to resolve machine's names before.....
Thanks!!!!!