30 Nov
2020
30 Nov
'20
5:06 p.m.
Hi, me again with an OT kind of topic.
I have been pretty happy with the way the vps at vultr and the bgp announce been doing,
this did not missed a beat since it been fix, again thanks to every one that helped.
Now I need a push in the right direction for OpenVpn.
Went on the openvpn forum, asked a noob question, got shamed post by a prick, waited for
someone else to try to help me. Now I am asking the ham community for help.
I have seen many tutorial/video/explanation and how to's for OpenVpn. Most are
tutorial where, you start a script, enter some magic numbers its start installing package
after package and it start working. Youhou! NOT!
That ain't the kind of stuff I am looking for. If I want to support the server and be
able to debug it in case it fail I need to know where and how all this works.
Let me tell you my goal. I will have multiple site that will connect to the vpn server. on
those site Multiple machine will need a 44net address. some will have fix address but I
want to also have some assigned by dhcp.
Now I could also have some simple client that will connect and those will have dhcp
address.
How do I manage that into OpenVpn. Does the dhcp vs fix address is managed by the OpenVpn
config?
Or does I need to have a local dhcp server at the site (the router that will connect as
the client)
will I have to do some bridging between my site (client to client communication)?
And finally is there a real good how to that is not 300 page long, as hard to read as the
U.N. whole bylaws and treaty and that a layman can understand somewhere& hopefully
that is not a recipe that say, add some pixi dust here, open notepad 3 time while typing
"I will not read my sister's diary in front of the whole class" Copyright
the Simpson's . 200 time, without saving the file between each opening and closing,
and hoping that it will do the job.
From a pretty tired guy of searching the answer to
life.
Yeah I know its 42.
Pierre
VE2PF
30 Nov
30 Nov
6:24 p.m.
On 1/12/20 8:06 am, pete M via 44Net wrote:
Went on the openvpn forum, asked a noob question, got
shamed post by a prick, waited for someone else to try to help me. Now I am asking the
ham community for help.
Yeah, Life is like a bed of roses: full of pricks. Maybe they
misunderstood what you were after, maybe they were in too much of a
hurry (a common problem these days).
I'm no guru, but know enough to be dangerous. Maybe amongst the brains
trust on this list, we can figure something out.
Let me tell you my goal. I will have multiple site
that will connect to the vpn server. on those site Multiple machine will need a 44net
address. some will have fix address but I want to also have some assigned by dhcp.
Now I could also have some simple client that will connect and those will have dhcp
address.
How do I manage that into OpenVpn. Does the dhcp vs fix address is managed by the OpenVpn
config?
Or does I need to have a local dhcp server at the site (the router that will connect as
the client)
It largely depends on how you set it up. OpenVPN has two modes:
- Layer 2 bridging mode
- Layer 3 tunnelled mode
In L3 mode, you're forwarding IP datagrams in a point-to-point link.
There is an option there (client-to-client) that enables one VPN client
to send traffic to another via the central "hub".
OpenVPN assigns the IP addresses for all clients. You can configure IP
addresses per-client using a file in a "client configuration directory"
(ccd). When you create a certificate for an OpenVPN client, you assign
it a unique "canonical name" (CN): when OpenVPN is configured with a
CCD, it looks for the file ${CCD}/${CN}, and in that file, you can push
commands to the client such as "ifconfig" and "iroute" /
"iroute-ipv6".
The former allows you to set the client's IP addresses, and "iroute"
defines what routes that client exposes to the server.
e.g:
root@gw:~# cat /etc/openvpn/ccd/aclientname
ifconfig 10.20.30.2 255.255.255.255
ifconfig-ipv6 fd00:1122:3344:5566::1000/128
iroute 44.12.34.0/24
iroute-ipv6 2001:db8:1122:3344::/64
Note, if you say 'iroute' or 'iroute-ipv6' here, you should also add
those same networks with 'route' and 'route-ipv6' in your main OpenVPN
config file to expose those to the host:
route 44.12.34.0/24
route-ipv6 2001:db8:1122:3344::/64
Then, there's L2 mode. Here, you forward whole Ethernet frames. Again,
if you want VPN clients to "see" each-other, client-to-client is your
friend. OpenVPN in this case looks like an Ethernet switch, and doesn't
care whether the L3 protocol is IP, NetBEUI, IPX/SPX, BACnet/Ethernet,
etc. There is an option there for OpenVPN to assign addresses, but
honestly, I do this:
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
server-bridge
Note the lack of any addressing, this just makes it a dumb switch. You
then, either bridge this with one of your gateway's physical ports
(which I have done), or you can configure your own DHCP server to listen
on this port and assign addresses accordingly. If you need your VPN
clients to use a specific MAC address, look for the link-layer address
option (lladdr).
A caveat with this mode: some clients do not support it (notably OpenVPN
on Android, unless they've changed that with Android 4.2 or later).
Regards,
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
7:33 p.m.
Hello Pierre,
OpenVPN is a bit of a beast in regards to configuration options. Like
you said, it has a bunch of knobs to tune and that can get
overwhelming. While OpenVPN is here to stay, there's a newer addition
to the VPN protocol family called WireGuard which recently made its way
into the Linux kernel. WireGuard aims to be simple and
cryptographically sound without worrying about extra features like
OpenVPN does - and therefore is quite easy to configure.
There's a simple demo on their website that should get you started:
https://www.wireguard.com/quickstart/
Feel free to reach out off list too if you need any specific pointers,
I'd be happy to help.
Cheers,
Nate Sales
KJ7DMC
On Mon, 2020-11-30 at 22:06 +0000, pete M via 44Net wrote:
Hi, me again with an OT kind of topic.
I have been pretty happy with the way the vps at vultr and the bgp
announce been doing, this did not missed a beat since it been fix,
again thanks to every one that helped.
Now I need a push in the right direction for OpenVpn.
Went on the openvpn forum, asked a noob question, got shamed post by
a prick, waited for someone else to try to help me. Now I am asking
the ham community for help.
I have seen many tutorial/video/explanation and how to's for
OpenVpn. Most are tutorial where, you start a script, enter some
magic numbers its start installing package after package and it
start working. Youhou! NOT!
That ain't the kind of stuff I am looking for. If I want to support
the server and be able to debug it in case it fail I need to know
where and how all this works.
Let me tell you my goal. I will have multiple site that will connect
to the vpn server. on those site Multiple machine will need a 44net
address. some will have fix address but I want to also have some
assigned by dhcp.
Now I could also have some simple client that will connect and those
will have dhcp address.
How do I manage that into OpenVpn. Does the dhcp vs fix address is
managed by the OpenVpn config?
Or does I need to have a local dhcp server at the site (the router
that will connect as the client)
will I have to do some bridging between my site (client to client
communication)?
And finally is there a real good how to that is not 300 page long, as
hard to read as the U.N. whole bylaws and treaty and that a layman
can understand somewhere& hopefully that is not a recipe that say,
add some pixi dust here, open notepad 3 time while typing "I will not
read my sister's diary in front of the whole class" Copyright the
Simpson's . 200 time, without saving the file between each opening
and closing, and hoping that it will do the job.
From a pretty tired guy of searching the answer to life.
Yeah I know its 42.
Pierre
VE2PF
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
1452
days inactive
1452
days old
2 comments
3 participants
participants (3)
-
Nate Sales -
pete M -
Stuart Longland (VK4MSL)