From: Davide B. <da...@gm...> - 2009-10-31 21:01:24
|
On Saturday 31 October 2009, William McMahon wrote: > The overall goal of this project is to create a LAN environment for pc > gaming - I know childish; but we all enjoy our down time. Through reading > the how-to's I've deducted that I need to create a bridged VPN (to allow > broadcasts). I hope to use the server as a client as well; so here is my > topology... more or less. Ok, if you need to broadcast to the VPN then you need bridging (but first make extra sure that you *really* need to broadcast, and that there is no way around it). Then, carefully consider the impact of the VPN on the network traffic. Bridged VPNs need more bandwidth, and if you have more than a few nodes in the VPN, each producing a lot of traffic (as it's likely for a gaming network), then you might have problems. > Server behind a router under the subnet 192.168.1.0/24. Server is equipped > with one network interface card that receives an IP of 192.168.1.108. When > I bridge this interface with the TAP adapter the bridge receives an > interface with 192.168.1.114. > > I've decided that the VPN will operate under the subnet 10.0.8.0/24. My > understand is that the following configuration command: > server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 > > Will allocate 10.8.0.4 to the server's tap adapter and reserve the pool > 10.8.0.50-10.8.0.100 to the connecting clients. No, it won't allocate any address to the server's tap adapter. To do that, you need to add an explicit ifconfig statement to the server config, for example ifconfig 10.0.8.4 255.255.255.0 Of course, that address must not be part of the pool of addresses you push to clients, but it seems you've got it right since the pool starts from .50, so no problems. Now that I finally understand what you want to do, you don't even need a bridge on the server. Your confusion probably comes from the fact that most bridge-mode tutorial are focused on the classical "give access to the LAN" scenario, which usually requires the setup I mentioned at the end of my last email. In your case, you will just create an independent (virtual) ethernet network; each node will have a tap interface that will be part of that network. No actual bridging with physical interfaces should be needed. > Now I am assuming that most my clients also are behind their local subnet > 192.168.1.0/24 or 192.168.0.0/24 (since those are the most commonly used > home lans). When the client connects to the VPN using open vpn I am > assuming their TAP adapter is receiving a 10.8.0.0/24 address within the > range .50-.100 and through trials I have verified this assumption (one of > the remote clients received an IP of 10.8.0.50). Correct. I suggest you use an even more esoteric IP range, like 10.219.175.0/24 or similar, to further minimize the chances of collisions with local client networks. > My hope then is if the server were to host a LAN game all clients connected > to the VPN would be able to connect. Similarly if a client were to host a > LAN game all clients connected to the VPN plus the server would be able to > connect. My question is then is this possible? Yes it is. > Am I going about this in the right way? Not really, in that you don't need a bridge interface on the server. You need something like this: local 192.168.1.108 port 1194 proto udp dev tap mode server tls-server ifconfig 10.219.175.1 255.255.255.0 ifconfig-pool 10.219.175.2 10.219.175.254 255.255.255.0 client-to-client # to allow clients to see each other # plus the rest of the config here The above assumes you use my suggested IP range (you can use another one of course), and that clients will connect using UDP to 192.168.1.108:1194 (you'll need a way to send the client traffic there of course, so clients most likely will connect to some a.b.c.d:1194 public IP, and the router will do a DNAT to the 192.168.1.108 address; it seems that you're already able to do that). > If this is possible, would the server need to be running it's gaming server > on it's 192.168.1.0/24 IP? or on it's 10.8.0.0/24 IP? Will both destinations > be reachable by the clients? The server will run its gaming service on the VPN address, ie 10.219.175.1. That is all the gaming clients need to know. > If both destinations are reachable then wouldn't this create IP conflicts if > say one of my clients had 192.168.1.114 as the IP assigned to their Ethernet > interface? Or should I just give up and move on with my life :P The clients need not even know that the server has a 192.168.something interface. They only need the router's external IP address so they can start the VPN, and when the VPN is up the gaming application only need to know the 10.219. address of the server, where the gaming server is running. A suggestion for the future: always start by explaining what your goal is and what you're trying to do as fully as possible. This makes life easier for people who want to help you because they have clear information (instead of having to guess), and it also speeds up things a lot; had you included the above explanation in your very first email, the whole process would have been much quicker, and you'd have got a useful answer immediately. Hope that helps. -- D. |