1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN with TUN interface

Discussion in 'Tomato Firmware' started by PBandJ, Feb 5, 2012.

  1. PBandJ

    PBandJ Networkin' Nut Member

    I'd like to setup a VPN between my place (server) and my brother's (client). It'll be a first for me. Did the mandatory reading bits, still missing a vital piece of the puzzle.
    The thing is, since we're both using the 192.168.1.0/24 address space and both LANs have DHCP setups, setting up OpenVPN with a bridging interface seems a bit out of the question (mostly because of the DHCP thing).

    So we need to setup it up using a TUN interface. The thing that still confuses me is: must we switch one site to some other DHCP address space, say 192.168.2.0/24, or does OpenVPN also NAT?

    I started the WINS server on the RT-N16 (also the OpenVPN server) and set it to be the master browser. So I thought with all the NAT-ing going on, accessing machines by name from the OpenVPN client side should still work.

    Would appreciate your suggestions.
     
  2. kthaddock

    kthaddock Network Guru Member

  3. PBandJ

    PBandJ Networkin' Nut Member

    Nice article. I've already set it up in a similar way. The only differences are I'm using UDP not TCP and also have tls-auth enabled. These changes allow me to stealth the OpenVPN port.
    For more details: http://openvpn.net/index.php/open-source/documentation/howto.html#security

    It didn't answer my question, though. I'm waiting for my brother to return from work so we can try it out.
    Maybe I'll just need to push the WINS server to the client? More about it here:
    http://openvpn.net/index.php/open-source/documentation/howto.html#dhcp
     
  4. PBandJ

    PBandJ Networkin' Nut Member

    Just to clarify what puzzles me: The server-side .ovpn file generated contains this directive:
    Code:
    push "route 192.168.1.0 255.255.255.0"
    Now, if my brother's LAN is 192.168.1.0/24 then how the OpenVPN client add this route, unless it's NAT-ing?
    See here (http://openvpn.net/howto.html#scope), under Including multiple machines on the client side when using a routed VPN (dev tun): Every subnet which is joined to the VPN via routing must be unique.
     
  5. kthaddock

    kthaddock Network Guru Member

    This should be different:
    push "dhcp-option DNS 192.168.2.1" one with ..2.1 and one 2.2
     
  6. PBandJ

    PBandJ Networkin' Nut Member

    Sorry, I should've posted the entire server-side configuration:
    Code:
    # Automatically generated configuration
    daemon
    server 10.8.0.0 255.255.255.0
    proto udp
    port 1194
    dev tun21
    cipher AES-256-CBC
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "route 192.168.1.0 255.255.255.0"
    push "dhcp-option DNS 192.168.1.1"
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status 
     
  7. kthaddock

    kthaddock Network Guru Member

    Server 192.168.2.1
    Client 192.168.2.2
    Subnet 255.255.255.0
     
  8. PBandJ

    PBandJ Networkin' Nut Member

    I'm not sure I understand what you're suggesting. The OpenVPN server, my new Asus RT-N16, has the IP address of 192.168.1.1 and has DHCP enabled and assigns address in the 192.168.1.0/24 subnet. There are a few machines here that *should* be accessible from the OpenVPN client side (PC, NAS).
    The Client PC's IP address is also dynamically allocated and in the 192.168.1.0/24 subnet range. That's the default on my brother's router (TP-Link 1043ND, if I'm not mistaken).

    If it's unclear, I'm using the CIDR notation, which is, in this case the same as, 255.255.255.0:
    http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
     
  9. kthaddock

    kthaddock Network Guru Member

    You don't worry about DHCP when you use TUN-UDP it's P-P network.
    Connect with ip-number to your NAS osv
    - TAP device is a virtual ethernet adapter
    - TUN device is a virtual point-to-point IP link.
     
  10. PBandJ

    PBandJ Networkin' Nut Member

    OK, thanks.
     
  11. kthaddock

    kthaddock Network Guru Member

  12. PBandJ

    PBandJ Networkin' Nut Member

    If things will get ugly, and I'll decide to try a TAP interface, this will come handy.
    Thank you!
     
  13. PBandJ

    PBandJ Networkin' Nut Member

  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    In case there's still confusion, I'll more directly answer your question: yes, each LAN should operate on a separate/distinct subnet (e.g., 192.168.0.0/24 and 192.168.1.0/24) when operating in TUN mode (which I recommend strongly over TAP unless you absolutely need TAP).
     
  15. kthaddock

    kthaddock Network Guru Member

    Okey
    Any tips to get networks computer to show up in networks place when using TUN-UDP/TCP ?
     
  16. PBandJ

    PBandJ Networkin' Nut Member

    First: Can you ping across the TUN interface to a remote machine? Can you access computers directly using their UNC paths, like \\192.168.1.1\share-name?
    If so, you've "only" got a NetBIOS problem. It doesn't matter if you use TUN over UDP or TCP.
    It is, probably, related to the master browser election conflict.
    To see what's going on, use the nbtstat commad to query the PCs on both sides of the TUN and check their name tables.
    To learn more about netBIOS: http://en.wikipedia.org/wiki/NetBIOS#NetBIOS_name_vs_host_name
    More about nbtstat: http://technet.microsoft.com/en-us/library/cc940106.aspx. There's also a nice troubleshooting flowchart here: http://technet.microsoft.com/en-us/library/cc940110.aspx

    Good luck!
     

Share This Page