Subject: Re: tap(4) + bridge(4) + OpenVPN advice sought
To: None <tech-net@netbsd.org>
From: Tom Ivar Helbekkmo <tih@eunetnorge.no>
List: tech-net
Date: 07/11/2005 17:09:23
Sean Davis <dive-nb@endersgame.net> writes:
> I've got a server hosted in the datacenter at which I work, and I would like
> to bridge it (over an encrypted vpn, of course), into my home LAN. At the
> moment, my main thought is to use OpenVPN, bridge(4) and tap(4), but I've
> never done this before, so I'm looking for suggestions. The server at home
> that will be running the home side of the bridge is running NetBSD 3.99.7,
> and the server at work is running Debian 3.1.
I like to use an OpenVPN tunnel for this sort of thing, using proxy
arp to place the remote system on the local network. Here's what I
do (my home net is 193.71.27.0/27, the OpenVPN server is at .5, and
the client is given .9):
On my home network, I run an OpenVPN with this configuration (well, a
more complicated one, actually, but this is the basic stuff you need):
daemon
dev tun
proto udp
local 193.71.27.5
ifconfig 172.27.101.1 193.71.27.9
up /usr/local/etc/openvpn.up
The script "openvpn.up" sets up the proxy arp for the client:
#!/bin/sh
case $6 in
init)
/usr/sbin/arp -s 193.71.27.9 00:a0:c9:b6:e1:9d pub
;;
esac
exit 0
The MAC level address shown is the one actually on the host system.
On the client, the configuration looks like this:
daemon
dev tun
proto udp
remote 193.71.27.5
ifconfig 193.71.27.9 172.27.101.1
up /usr/pkg/etc/openvpn.up
...and openvpn.up sets up the network route for the client -- a host
route for the OpenVPN gateway through the real, local, gateway, and a
network route for the rest of my home network through the tunnel:
#!/bin/sh
case $6 in
init)
/sbin/route add 193.71.27.5/32 193.71.2.1
/sbin/route add 193.71.27.0/27 172.27.101.1
;;
esac
exit 0
Works for me. :-)
-tih
--
Don't ascribe to stupidity what can be adequately explained by ignorance.