Hi, me again with an OT kind of topic.
I have been pretty happy with the way the vps at vultr and the bgp announce been doing, this did not missed a beat since it been fix, again thanks to every one that helped.
Now I need a push in the right direction for OpenVpn.
Went on the openvpn forum, asked a noob question, got shamed post by a prick, waited for someone else to try to help me. Now I am asking the ham community for help.
I have seen many tutorial/video/explanation and how to's for OpenVpn. Most are tutorial where, you start a script, enter some magic numbers its start installing package after package and it start working. Youhou! NOT!
That ain't the kind of stuff I am looking for. If I want to support the server and be able to debug it in case it fail I need to know where and how all this works.
Let me tell you my goal. I will have multiple site that will connect to the vpn server. on those site Multiple machine will need a 44net address. some will have fix address but I want to also have some assigned by dhcp.
Now I could also have some simple client that will connect and those will have dhcp address.
How do I manage that into OpenVpn. Does the dhcp vs fix address is managed by the OpenVpn config?
Or does I need to have a local dhcp server at the site (the router that will connect as the client)
will I have to do some bridging between my site (client to client communication)?
And finally is there a real good how to that is not 300 page long, as hard to read as the U.N. whole bylaws and treaty and that a layman can understand somewhere& hopefully that is not a recipe that say, add some pixi dust here, open notepad 3 time while typing "I will not read my sister's diary in front of the whole class" Copyright the Simpson's . 200 time, without saving the file between each opening and closing, and hoping that it will do the job.
From a pretty tired guy of searching the answer to life.
Yeah I know its 42.
Pierre VE2PF
On 1/12/20 8:06 am, pete M via 44Net wrote:
Went on the openvpn forum, asked a noob question, got shamed post by a prick, waited for someone else to try to help me. Now I am asking the ham community for help.
Yeah, Life is like a bed of roses: full of pricks. Maybe they misunderstood what you were after, maybe they were in too much of a hurry (a common problem these days).
I'm no guru, but know enough to be dangerous. Maybe amongst the brains trust on this list, we can figure something out.
Let me tell you my goal. I will have multiple site that will connect to the vpn server. on those site Multiple machine will need a 44net address. some will have fix address but I want to also have some assigned by dhcp.
Now I could also have some simple client that will connect and those will have dhcp address.
How do I manage that into OpenVpn. Does the dhcp vs fix address is managed by the OpenVpn config?
Or does I need to have a local dhcp server at the site (the router that will connect as the client)
It largely depends on how you set it up. OpenVPN has two modes:
- Layer 2 bridging mode - Layer 3 tunnelled mode
In L3 mode, you're forwarding IP datagrams in a point-to-point link. There is an option there (client-to-client) that enables one VPN client to send traffic to another via the central "hub".
OpenVPN assigns the IP addresses for all clients. You can configure IP addresses per-client using a file in a "client configuration directory" (ccd). When you create a certificate for an OpenVPN client, you assign it a unique "canonical name" (CN): when OpenVPN is configured with a CCD, it looks for the file ${CCD}/${CN}, and in that file, you can push commands to the client such as "ifconfig" and "iroute" / "iroute-ipv6". The former allows you to set the client's IP addresses, and "iroute" defines what routes that client exposes to the server.
e.g:
root@gw:~# cat /etc/openvpn/ccd/aclientname ifconfig 10.20.30.2 255.255.255.255 ifconfig-ipv6 fd00:1122:3344:5566::1000/128 iroute 44.12.34.0/24 iroute-ipv6 2001:db8:1122:3344::/64
Note, if you say 'iroute' or 'iroute-ipv6' here, you should also add those same networks with 'route' and 'route-ipv6' in your main OpenVPN config file to expose those to the host:
route 44.12.34.0/24 route-ipv6 2001:db8:1122:3344::/64
Then, there's L2 mode. Here, you forward whole Ethernet frames. Again, if you want VPN clients to "see" each-other, client-to-client is your friend. OpenVPN in this case looks like an Ethernet switch, and doesn't care whether the L3 protocol is IP, NetBEUI, IPX/SPX, BACnet/Ethernet, etc. There is an option there for OpenVPN to assign addresses, but honestly, I do this:
# Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. server-bridge
Note the lack of any addressing, this just makes it a dumb switch. You then, either bridge this with one of your gateway's physical ports (which I have done), or you can configure your own DHCP server to listen on this port and assign addresses accordingly. If you need your VPN clients to use a specific MAC address, look for the link-layer address option (lladdr).
A caveat with this mode: some clients do not support it (notably OpenVPN on Android, unless they've changed that with Android 4.2 or later).
Regards,
Hello Pierre,
OpenVPN is a bit of a beast in regards to configuration options. Like you said, it has a bunch of knobs to tune and that can get overwhelming. While OpenVPN is here to stay, there's a newer addition to the VPN protocol family called WireGuard which recently made its way into the Linux kernel. WireGuard aims to be simple and cryptographically sound without worrying about extra features like OpenVPN does - and therefore is quite easy to configure.
There's a simple demo on their website that should get you started: https://www.wireguard.com/quickstart/
Feel free to reach out off list too if you need any specific pointers, I'd be happy to help.
Cheers, Nate Sales KJ7DMC
On Mon, 2020-11-30 at 22:06 +0000, pete M via 44Net wrote:
Hi, me again with an OT kind of topic.
I have been pretty happy with the way the vps at vultr and the bgp announce been doing, this did not missed a beat since it been fix, again thanks to every one that helped.
Now I need a push in the right direction for OpenVpn.
Went on the openvpn forum, asked a noob question, got shamed post by a prick, waited for someone else to try to help me. Now I am asking the ham community for help.
I have seen many tutorial/video/explanation and how to's for OpenVpn. Most are tutorial where, you start a script, enter some magic numbers its start installing package after package and it start working. Youhou! NOT!
That ain't the kind of stuff I am looking for. If I want to support the server and be able to debug it in case it fail I need to know where and how all this works.
Let me tell you my goal. I will have multiple site that will connect to the vpn server. on those site Multiple machine will need a 44net address. some will have fix address but I want to also have some assigned by dhcp.
Now I could also have some simple client that will connect and those will have dhcp address.
How do I manage that into OpenVpn. Does the dhcp vs fix address is managed by the OpenVpn config?
Or does I need to have a local dhcp server at the site (the router that will connect as the client)
will I have to do some bridging between my site (client to client communication)?
And finally is there a real good how to that is not 300 page long, as hard to read as the U.N. whole bylaws and treaty and that a layman can understand somewhere& hopefully that is not a recipe that say, add some pixi dust here, open notepad 3 time while typing "I will not read my sister's diary in front of the whole class" Copyright the Simpson's . 200 time, without saving the file between each opening and closing, and hoping that it will do the job.
From a pretty tired guy of searching the answer to life. Yeah I know its 42.
Pierre VE2PF _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
Nate Sales -
pete M -
Stuart Longland (VK4MSL)