Hi Dave,
On 08/04/2014 02:49 PM, davidg12...@fast-email.com wrote:
>>> Internet
>>> |
>>> |
>>> | ext: A.B.C.D
>>> Router/Firewall + OpenVPN Server
>>> | tun: 10.99.99.1
>>> | int: 10.0.0.1
>>> |
>>> |
>>> | ext: X.Y.Z.W
>>> Router/Firewall + OpenVPN Client
>>> | tun: 10.99.99.2
>>> | int: 192.168.0.1
>>> | int: 10.10.10.1
>>> |
>>> |--------------------------
>>> | |
>>> MyDesktop OtherPCs
>>> 192.168.0.2 (192.168.0.3+/24)
>>> 10.10.10.2
> ...
>> I assume you have added this line to your OpenVPN client config, right?
>>
>> route 8.8.8.8 255.255.255.255
>
> Hm. That one's confusing. Well, ALL of this which-goes-where is to me.
>
> Iiuc -- and maybe I dont -- that route would cause a route to be created on
> the Client OS that would send ALL traffiic from the Client, not just from
> MyDesktop's 10.10.10.2 source address. No?
>
> Would that route nee to be set ON the client's Openvpn config? Or as an
> iroute in the Server's ccd/client config?
If I understand you right, you try to ping
google-public-dns-a.google.com (8.8.8.8) using the router with external
IP A.B.C.D, right?
Could it be that you are thinking the router looks for the _source_ IP
address rather than for the _destination_ in the routing table?
So, how does it work in your example?
(1) "MyDesktop" looks into its own routing table first to see where
(which interface and gw) to send the Ethernet[*] frame to.
Probably that's the default route (gw: 192.168.0.1)
(2) The router X.Y.Z.W receives that IP packet (with source
IP 10.10.10.2 and destination IP 8.8.8.8).
(3a) The router is configured to forward that message, as 8.8.8.8 is
none of its own IP addresses.
It looks into the routing table, and, sends the packet further to
the next hop of the route that matches 8.8.8.8.
If there is no other route than "default" (0.0.0.0/0) it sends it
to "the internet" using source IP X.Y.Z.W and destination
IP 8.8.8.8.
Using 10.10.10.2 as the source address on the "internet" link would
technically work, but your ISP would drop/reject that packet,
because RFC1918 addresses cannot work on the internet.
Thus, your router does source NAT/MASQ in order to create
a routable packet.
(3b) If the router X.Y.Z.W. has a route that matches 8.8.8.8 and having
the OpenVPN server as the next hop (i.e. 10.99.99.1) it would send
the packet (probaly w/o doing SNAT/MASQ) over the VPN to the
router A.B.C.D
(4) The router A.B.C.D would - based on its routing table - send
the packet to the internet link.
If that packet can receive Google would depend on the SNAT/MASQ
setting of router A.B.C.D.
For instance, if that router applies NAT only to packets with a
source address of the local LAN segment you would need to change
it. On linux that can be done using iptables.
[*] Ethernet is just an example.
HTH,
Mathias.
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
