On 1/12/20 8:06 am, pete M via 44Net wrote:
Went on the openvpn forum, asked a noob question, got shamed post by a prick, waited for someone else to try to help me. Now I am asking the ham community for help.
Yeah, Life is like a bed of roses: full of pricks. Maybe they misunderstood what you were after, maybe they were in too much of a hurry (a common problem these days).
I'm no guru, but know enough to be dangerous. Maybe amongst the brains trust on this list, we can figure something out.
Let me tell you my goal. I will have multiple site that will connect to the vpn server. on those site Multiple machine will need a 44net address. some will have fix address but I want to also have some assigned by dhcp.
Now I could also have some simple client that will connect and those will have dhcp address.
How do I manage that into OpenVpn. Does the dhcp vs fix address is managed by the OpenVpn config?
Or does I need to have a local dhcp server at the site (the router that will connect as the client)
It largely depends on how you set it up. OpenVPN has two modes:
- Layer 2 bridging mode - Layer 3 tunnelled mode
In L3 mode, you're forwarding IP datagrams in a point-to-point link. There is an option there (client-to-client) that enables one VPN client to send traffic to another via the central "hub".
OpenVPN assigns the IP addresses for all clients. You can configure IP addresses per-client using a file in a "client configuration directory" (ccd). When you create a certificate for an OpenVPN client, you assign it a unique "canonical name" (CN): when OpenVPN is configured with a CCD, it looks for the file ${CCD}/${CN}, and in that file, you can push commands to the client such as "ifconfig" and "iroute" / "iroute-ipv6". The former allows you to set the client's IP addresses, and "iroute" defines what routes that client exposes to the server.
e.g:
root@gw:~# cat /etc/openvpn/ccd/aclientname ifconfig 10.20.30.2 255.255.255.255 ifconfig-ipv6 fd00:1122:3344:5566::1000/128 iroute 44.12.34.0/24 iroute-ipv6 2001:db8:1122:3344::/64
Note, if you say 'iroute' or 'iroute-ipv6' here, you should also add those same networks with 'route' and 'route-ipv6' in your main OpenVPN config file to expose those to the host:
route 44.12.34.0/24 route-ipv6 2001:db8:1122:3344::/64
Then, there's L2 mode. Here, you forward whole Ethernet frames. Again, if you want VPN clients to "see" each-other, client-to-client is your friend. OpenVPN in this case looks like an Ethernet switch, and doesn't care whether the L3 protocol is IP, NetBEUI, IPX/SPX, BACnet/Ethernet, etc. There is an option there for OpenVPN to assign addresses, but honestly, I do this:
# Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. server-bridge
Note the lack of any addressing, this just makes it a dumb switch. You then, either bridge this with one of your gateway's physical ports (which I have done), or you can configure your own DHCP server to listen on this port and assign addresses accordingly. If you need your VPN clients to use a specific MAC address, look for the link-layer address option (lladdr).
A caveat with this mode: some clients do not support it (notably OpenVPN on Android, unless they've changed that with Android 4.2 or later).
Regards,