Menu
▾
▴
Re: [Openvpn-users] tunnel between LAN and external gateway-interface
|
From: Ralph <ra...@de...> - 2004-05-25 17:35:30
|
Am Dienstag 25 Mai 2004 11:38 schrieb martin: > hi, > > i have setup a openvpn-tunnel between two LANs. it all works pretty fine. > but i'm wondering if there is a possibility (or a special trick) to include > a tunnel from one LAN to the external ip-adress of the other vpn-gateway. i > would like to secure the mail-traffic, because this gateway is also the > mail-server (yeah, i know, its not recommended). anyway, i worked with > freeswan before where you are able to build such tunnels between a LAN and > an external interface (and even between two external interfaces). it seems > to me that openvpn cant do this by design. is it possible at all? did I get you right? this is your setup: lan 1 -- openvpn-server1 -- INTERNET -- openvpn server2 / mailserver -- lan 2 and you want to access the mailserver on the openvpn server 2 from lan 1 over it's public ip? then you must only add the correct route-entries on your openvpn-server1 (and maybe firewall forward rules). The trick is to use "source-based" routing, because you cannot simply add a normal static route on your openvpn server1 over the tunnel interface to the public ip of the servers2. This would end with a broken setup for your whole openvpn connection and communication with the server2, because then you couldn't send the encrypted data (or any other data) over the internet to even this public ip adress of the server2, because you routed this traffic over the tunnel interface :) For a simple source-based routing soultion, here a short howto :) I don't know your public or private ip networks, so I use this, you can change them for your needs: lan1 = 10.0.0.0/24 public ip openvpn server2 = 1.2.3.4 tunnel interface = tun0 you need the following steps to configure the source-based routing: 1) install the "iproute2" package for your distribution. 2) edit "/etc/iproute2/rt_table" add the following line to the end: 200 lan2mailserver 3) type in the following commands: # ip rule add from 10.0.0.0/24 lookup lan2mailserver # ip route add 1.2.3.4 via tun0 table lan2mailserver # ip route flush cache 4) try if it works... a traceroute from the lan1 to the public ip of the mailserver/openvpn server2 should do the trick. if not, see if you have to needed iptables forward rules. Even look on the openvpn server2 if there is a firewall rule or something like that could block the traffic. It's hard to find a good documentation for "iproute2", but it is definitly better then "ifconfig/route/arp" together, but it can coexist with the old tools very well. even mixing routes with the classical "route" and "ip route" is no problem. A bit of documentation is at: http://snafu.freedom.org/linux2.2/iproute-notes.html > > tia > > martin -- Ralph |
