Re: openvpn question

2013-10-24 Thread Zenaan Harkness
On 10/25/13, Gregory Nowak wrote: > This is an update to the thread originally started at: > > > To recap briefly though, I ended up using NAT to route a public > address from my /29 subnet on my VPS to a private IP address > assigned to

Re: openvpn question

2013-10-24 Thread Gregory Nowak
Hi all. This is an update to the thread originally started at: I won't give a summary here, the above URL can give the full story. To recap briefly though, I ended up using NAT to route a public address from my /29 subnet on my VPS to a

Re: openvpn question

2013-08-25 Thread Gregory Nowak
Ok. In case others besides Zenaan are interested, here is what I did to get openvpn going, and to allow my laptop to get a public IP address through openvpn from the /29 block of public addresses allocated to me from my VPS provider. This setup works for my needs, your mileage may vary as they say.

Re: openvpn question

2013-08-23 Thread Gregory Nowak
On Sat, Aug 24, 2013 at 12:57:18PM +1000, Zenaan Harkness wrote: > Yes please! BUT: probably sanitize (obfuscate) your public, and > isp-provided, ip addresses, if there is any likelihood of the > existence of your particular VPN being of interest to an adversary. Of course. I'll probably do that

Re: openvpn question

2013-08-23 Thread Gregory Nowak
On Sat, Aug 24, 2013 at 12:48:26PM +1000, Zenaan Harkness wrote: > Bob, your link http://shorewall.net/ProxyARP.htm is > great! Easy to read. Yes, I meant to mention that. It does a good job of providing a general explanation of proxy ARP indeed. Greg -- web site: http://www.gregn..net gpg pub

Re: openvpn question

2013-08-23 Thread Gregory Nowak
On Sat, Aug 24, 2013 at 12:44:28PM +1000, Zenaan Harkness wrote: > Whether or not using proxy arp, I recommend using tap device. I > believe there is a little more overhead with tun (higher in the > stack), _especially_ given you want to forward everything, ie DNAT and > SNAT. tun buys nothing but

Re: openvpn question

2013-08-23 Thread Zenaan Harkness
On 8/24/13, Gregory Nowak wrote: > As I already said, everything is working. The problem is solved. If > there is interest, I can paste the openvpn configs from server/client, > and the interfaces file with relevant iptables rules from the server > to show how I'm doing what I'm doing. Thanks agai

Re: openvpn question

2013-08-23 Thread Zenaan Harkness
On 8/24/13, Zenaan Harkness wrote: > On 8/24/13, Bob Proulx wrote: >> Right. Which does not have anything to do with the way proxy arp is >> set up. >> >>> I thought this over again with my brain fresher in the afternoon than >>> it was last night, and you are right, it would work in this situat

Re: openvpn question

2013-08-23 Thread Zenaan Harkness
On 8/24/13, Bob Proulx wrote: > Gregory Nowak wrote: >> Bob Proulx wrote: >> > The device will still have an ethernet address whether you assigned >> > one to it or not. It is not necessary for you to assign one since one >> > has already been assigned by default. (From the vendor. Or in the >>

Re: openvpn question

2013-08-23 Thread Gregory Nowak
On Fri, Aug 23, 2013 at 04:54:46PM -0600, Bob Proulx wrote: > Uhm... Yes. > > > # ifconfig tun0 > > tun0 Link encap:UNSPEC HWaddr > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > Silly bear! That is the tun device. Never tunnel the tun device. > > > The above is from the VPS, with

Re: openvpn question

2013-08-23 Thread Bob Proulx
Gregory Nowak wrote: > Bob Proulx wrote: > > The device will still have an ethernet address whether you assigned > > one to it or not. It is not necessary for you to assign one since one > > has already been assigned by default. (From the vendor. Or in the > > case of virtual hardware from the s

Re: openvpn question

2013-08-23 Thread Gregory Nowak
On Fri, Aug 23, 2013 at 11:16:12AM -0600, Bob Proulx wrote: > The device will still have an ethernet address whether you assigned > one to it or not. It is not necessary for you to assign one since one > has already been assigned by default. (From the vendor. Or in the > case of virtual hardware

Re: openvpn question

2013-08-23 Thread Gregory Nowak
On Fri, Aug 23, 2013 at 12:36:58PM +, Bonno Bloksma wrote: > I have been following this and I think it is getting clear what you are doing > but I have lost what the problem is we are trying to resolve. > > If I understand it right your setup is something like: > > VPS has network 1.2.3.0/24

Re: openvpn question

2013-08-23 Thread Bob Proulx
Gregory Nowak wrote: > In addition to this, I have iptables rules using the nat table, > which take traffic which has the laptop's public address as > destination, and do DNAT on it, changing the destination address to > be the laptop's private address. I also have a rule doing the > reverse. This

RE: openvpn question

2013-08-23 Thread Bonno Bloksma
Hi Gregory, > Gregory Nowak wrote: >>> The public address assigned to the laptop would actually be >>> configured on the VPS, >> >> Hmm... No. Sorry. Doesn't make sense. The public address assigned >> to the laptop would probably be yet another private address behind a >> NAT somewhere. >

Re: openvpn question

2013-08-22 Thread Gregory Nowak
On Thu, Aug 22, 2013 at 04:16:13PM -0600, Bob Proulx wrote: > Gregory Nowak wrote: > > The public address assigned to the laptop would actualy be > > configured on the VPS, > > Hmm... No. Sorry. Doesn't make sense. The public address assigned > to the laptop would probably be yet another priva

Re: openvpn question

2013-08-22 Thread Bob Proulx
Gregory Nowak wrote: > Yes. So from all this, what I said still stands. The laptop would get > a private address from the VPN. Yes. > The public address assigned to the laptop would actualy be > configured on the VPS, Hmm... No. Sorry. Doesn't make sense. The public address assigned to the l

Re: openvpn question

2013-08-19 Thread Gregory Nowak
On Mon, Aug 19, 2013 at 06:27:58PM +1000, Zenaan Harkness wrote: > Read again this part of the OpenVPN man page which you pasted: > "the proper usage of --ifconfig is to use two private > IP addresses which are not a member of any existing > subnet which is in use" > > Notice "two private IP addr

Re: openvpn question

2013-08-19 Thread Zenaan Harkness
On 8/19/13, Gregory Nowak wrote: > On Mon, Aug 19, 2013 at 01:07:06PM +1000, Zenaan Harkness wrote: > I wrote: >> > actually want is to give one ip address out of that /29 to the >> > laptop. The laptop is an endpoint in itself. It doesn't have any other >> >> You need to question yourself, imagin

Re: openvpn question

2013-08-18 Thread Gregory Nowak
On Mon, Aug 19, 2013 at 01:07:06PM +1000, Zenaan Harkness wrote: I wrote: > > actually want is to give one ip address out of that /29 to the > > laptop. The laptop is an endpoint in itself. It doesn't have any other > > You need to question yourself, imagine an isolated network of three computers:

Re: openvpn question

2013-08-18 Thread Zenaan Harkness
On 8/19/13, Gregory Nowak wrote: > On Mon, Aug 19, 2013 at 10:26:14AM +1000, Zenaan Harkness wrote: >> The key I think is the word "routable" which you use. > > Yes, exactly. > >> After a successful VPN setup, your VPS becomes analogous to your home >> internet modem router - the router has a publ

Re: openvpn question

2013-08-18 Thread Gregory Nowak
On Mon, Aug 19, 2013 at 10:26:14AM +1000, Zenaan Harkness wrote: > The key I think is the word "routable" which you use. Yes, exactly. > > After a successful VPN setup, your VPS becomes analogous to your home > internet modem router - the router has a public address dedicated to > _all_ of your

Re: openvpn question

2013-08-18 Thread Zenaan Harkness
Sometimes it is easy to be unintentionally ambiguous. I shall clarify a couple things below... On 8/19/13, Zenaan Harkness wrote: > On 8/19/13, Gregory Nowak wrote: >> On Sun, Aug 18, 2013 at 04:29:16PM -0600, Bob Proulx wrote: >>> Your vpn will be connected to the public address. It will estab

Re: openvpn question

2013-08-18 Thread Zenaan Harkness
On 8/19/13, Gregory Nowak wrote: > On Sun, Aug 18, 2013 at 04:29:16PM -0600, Bob Proulx wrote: >> Your vpn will be connected to the public address. It will establish a >> private address for the encrypted traffic. > > Yes, except that it's a public address I'm actually after. More below. > > I wr

Re: openvpn question

2013-08-18 Thread Gregory Nowak
On Sun, Aug 18, 2013 at 04:29:16PM -0600, Bob Proulx wrote: > Your vpn will be connected to the public address. It will establish a > private address for the encrypted traffic. Yes, except that it's a public address I'm actually after. More below. I wrote: > > I want to have the ability to conne

Re: openvpn question

2013-08-18 Thread Bob Proulx
Gregory Nowak wrote: > Since attempting to establish an ipsec connection is one of the two > things so far that crashes my VPS (earlier thread on this > list), Ouch! > I've been looking at other alternatives for possible > workarounds. Let me backup, and describe what I want to do. > I have a pu

openvpn question

2013-08-18 Thread Gregory Nowak
Hi all. Since attempting to establish an ipsec connection is one of the two things so far that crashes my VPS (earlier thread on this list), I've been looking at other alternatives for possible workarounds. Let me backup, and describe what I want to do. I have a publicly routable /29 subnet with