Re: openvpn question

On 10/25/13, Gregory Nowak wrote: > This is an update to the thread originally started at: > > > To recap briefly though, I ended up using NAT to route a public > address from my /29 subnet on my VPS to a private IP address > assigned to

Re: openvpn question

Hi all. This is an update to the thread originally started at: I won't give a summary here, the above URL can give the full story. To recap briefly though, I ended up using NAT to route a public address from my /29 subnet on my VPS to a

Re: openvpn question

Ok. In case others besides Zenaan are interested, here is what I did to get openvpn going, and to allow my laptop to get a public IP address through openvpn from the /29 block of public addresses allocated to me from my VPS provider. This setup works for my needs, your mileage may vary as they say.

Re: openvpn question

On Sat, Aug 24, 2013 at 12:57:18PM +1000, Zenaan Harkness wrote: > Yes please! BUT: probably sanitize (obfuscate) your public, and > isp-provided, ip addresses, if there is any likelihood of the > existence of your particular VPN being of interest to an adversary. Of course. I'll probably do that

Re: openvpn question

On Sat, Aug 24, 2013 at 12:48:26PM +1000, Zenaan Harkness wrote: > Bob, your link http://shorewall.net/ProxyARP.htm is > great! Easy to read. Yes, I meant to mention that. It does a good job of providing a general explanation of proxy ARP indeed. Greg -- web site: http://www.gregn..net gpg pub

Re: openvpn question

On Sat, Aug 24, 2013 at 12:44:28PM +1000, Zenaan Harkness wrote: > Whether or not using proxy arp, I recommend using tap device. I > believe there is a little more overhead with tun (higher in the > stack), _especially_ given you want to forward everything, ie DNAT and > SNAT. tun buys nothing but

Re: openvpn question

On 8/24/13, Gregory Nowak wrote: > As I already said, everything is working. The problem is solved. If > there is interest, I can paste the openvpn configs from server/client, > and the interfaces file with relevant iptables rules from the server > to show how I'm doing what I'm doing. Thanks agai

Re: openvpn question

On 8/24/13, Zenaan Harkness wrote: > On 8/24/13, Bob Proulx wrote: >> Right. Which does not have anything to do with the way proxy arp is >> set up. >> >>> I thought this over again with my brain fresher in the afternoon than >>> it was last night, and you are right, it would work in this situat

Re: openvpn question

On 8/24/13, Bob Proulx wrote: > Gregory Nowak wrote: >> Bob Proulx wrote: >> > The device will still have an ethernet address whether you assigned >> > one to it or not. It is not necessary for you to assign one since one >> > has already been assigned by default. (From the vendor. Or in the >>

Re: openvpn question

On Fri, Aug 23, 2013 at 04:54:46PM -0600, Bob Proulx wrote: > Uhm... Yes. > > > # ifconfig tun0 > > tun0 Link encap:UNSPEC HWaddr > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > Silly bear! That is the tun device. Never tunnel the tun device. > > > The above is from the VPS, with

Re: openvpn question

Gregory Nowak wrote: > Bob Proulx wrote: > > The device will still have an ethernet address whether you assigned > > one to it or not. It is not necessary for you to assign one since one > > has already been assigned by default. (From the vendor. Or in the > > case of virtual hardware from the s

Re: openvpn question

On Fri, Aug 23, 2013 at 11:16:12AM -0600, Bob Proulx wrote: > The device will still have an ethernet address whether you assigned > one to it or not. It is not necessary for you to assign one since one > has already been assigned by default. (From the vendor. Or in the > case of virtual hardware

Re: openvpn question

On Fri, Aug 23, 2013 at 12:36:58PM +, Bonno Bloksma wrote: > I have been following this and I think it is getting clear what you are doing > but I have lost what the problem is we are trying to resolve. > > If I understand it right your setup is something like: > > VPS has network 1.2.3.0/24

Re: openvpn question

Gregory Nowak wrote: > In addition to this, I have iptables rules using the nat table, > which take traffic which has the laptop's public address as > destination, and do DNAT on it, changing the destination address to > be the laptop's private address. I also have a rule doing the > reverse. This

RE: openvpn question

Hi Gregory, > Gregory Nowak wrote: >>> The public address assigned to the laptop would actually be >>> configured on the VPS, >> >> Hmm... No. Sorry. Doesn't make sense. The public address assigned >> to the laptop would probably be yet another private address behind a >> NAT somewhere. >

Re: openvpn question

On Thu, Aug 22, 2013 at 04:16:13PM -0600, Bob Proulx wrote: > Gregory Nowak wrote: > > The public address assigned to the laptop would actualy be > > configured on the VPS, > > Hmm... No. Sorry. Doesn't make sense. The public address assigned > to the laptop would probably be yet another priva

Re: openvpn question

Gregory Nowak wrote: > Yes. So from all this, what I said still stands. The laptop would get > a private address from the VPN. Yes. > The public address assigned to the laptop would actualy be > configured on the VPS, Hmm... No. Sorry. Doesn't make sense. The public address assigned to the l

Re: openvpn question

On Mon, Aug 19, 2013 at 06:27:58PM +1000, Zenaan Harkness wrote: > Read again this part of the OpenVPN man page which you pasted: > "the proper usage of --ifconfig is to use two private > IP addresses which are not a member of any existing > subnet which is in use" > > Notice "two private IP addr

Re: openvpn question

On 8/19/13, Gregory Nowak wrote: > On Mon, Aug 19, 2013 at 01:07:06PM +1000, Zenaan Harkness wrote: > I wrote: >> > actually want is to give one ip address out of that /29 to the >> > laptop. The laptop is an endpoint in itself. It doesn't have any other >> >> You need to question yourself, imagin

Re: openvpn question

On Mon, Aug 19, 2013 at 01:07:06PM +1000, Zenaan Harkness wrote: I wrote: > > actually want is to give one ip address out of that /29 to the > > laptop. The laptop is an endpoint in itself. It doesn't have any other > > You need to question yourself, imagine an isolated network of three computers:

Re: openvpn question

On 8/19/13, Gregory Nowak wrote: > On Mon, Aug 19, 2013 at 10:26:14AM +1000, Zenaan Harkness wrote: >> The key I think is the word "routable" which you use. > > Yes, exactly. > >> After a successful VPN setup, your VPS becomes analogous to your home >> internet modem router - the router has a publ

Re: openvpn question

On Mon, Aug 19, 2013 at 10:26:14AM +1000, Zenaan Harkness wrote: > The key I think is the word "routable" which you use. Yes, exactly. > > After a successful VPN setup, your VPS becomes analogous to your home > internet modem router - the router has a public address dedicated to > _all_ of your

Re: openvpn question

Sometimes it is easy to be unintentionally ambiguous. I shall clarify a couple things below... On 8/19/13, Zenaan Harkness wrote: > On 8/19/13, Gregory Nowak wrote: >> On Sun, Aug 18, 2013 at 04:29:16PM -0600, Bob Proulx wrote: >>> Your vpn will be connected to the public address. It will estab

Re: openvpn question

On 8/19/13, Gregory Nowak wrote: > On Sun, Aug 18, 2013 at 04:29:16PM -0600, Bob Proulx wrote: >> Your vpn will be connected to the public address. It will establish a >> private address for the encrypted traffic. > > Yes, except that it's a public address I'm actually after. More below. > > I wr

Re: openvpn question

On Sun, Aug 18, 2013 at 04:29:16PM -0600, Bob Proulx wrote: > Your vpn will be connected to the public address. It will establish a > private address for the encrypted traffic. Yes, except that it's a public address I'm actually after. More below. I wrote: > > I want to have the ability to conne

Re: openvpn question

Gregory Nowak wrote: > Since attempting to establish an ipsec connection is one of the two > things so far that crashes my VPS (earlier thread on this > list), Ouch! > I've been looking at other alternatives for possible > workarounds. Let me backup, and describe what I want to do. > I have a pu