OpenVPN: site to site bridging problem and mtu question

[jpadie]

Hi there

i'm new to the arcana of network bridging etc. i've tried to get things working for a month or so and i'm now resorting to asking for your time and advice. I'm stumped...

i'm using an openvpn implementation. my server implementation works well: it is set up on a linux dsl router as a bridged configuration. I am able to connect just fine from a number of different clients (individual computers).

for ease of reference the home network is set to use the 10.8.0/24 ip range.

what i am now trying to do is to extend the configuration to a site to site implemetation. i have a flat in another location to my home and a number of machines behind the NAT router in that flat. The router is the same model as that at home so I have similarly installed openvpn on it.

the vpn comes up just fine and from the router i can ping resources inside the home network. the problem is that i cannot ping the resources inside the vpn from any client that is connected to the router.

the router hands out ip addresses in the 10.9.0/24 range.

somehow I need to tell the router to take traffic to the 10.8.0/24 subnet and route them through the vpn, and this is where i am falling down. i have tried using the web interface to set a static route for 10.8.0/24 traffic to the tap interface (which is configured to 10.8.0.124 - guaranteed non duplicated) but still no traffic goes through.

am I on the right track? does anyone have any advice for how I might complete the task at hand? i think i could avoid the issue by bridging at both ends and assigning 10.8.0/24 addresses to the client end too, but i'd rather leave the client side as a routing solution, and the server as bridged. does this make sense?

a second question, if I may: in some cases I find that over working VPN connections using openvpn, i am unable to complete a windows offline files synchronisation. i think it is a fragmentation issue. Is this likely? mtu is set to 1500, is it advisable to drop this to a particular level for openvpn connections?

many thanks
Justin

 

[jpadie]

judging from the response ;-) i guess either this can't be done or noone is experienced with openvpn.

for those reading this thread in the future, I have opted for a bridged solution at both sides. this has the unfortunate ramification of meaning there are two dhcp servers on the lan but it seems to be that clients pick up an address from their 'local' dhcp server more often than not (thus meaning that the gateway is also kept local).

i have not yet resolved the mtu/fragmentation issues. this seems more resolvable if I switch to udp ports rather than the tcp variants that i currently use. the reason for the original choice is that tcp ports are easier to telnet into in order to test that the server is listening properly.

 

[divideoff]

Hi there,

I am trying to perform a similar task to you, i.e. setting up a site to site VPN so that I can merge two remote networks that are on the same subnet (192.168.4.0).

I currently have a server/client setup and the briding on the server side works perfectly well. However, I want to be able to access the network attached to the client side from the server side.

How did you go about bridging at both sides?

Cheers,

David

 

[jpadie]

the nice thing about bridging is that the resources of each site are available to the other without having to do anything around routing etc.

can you ping the remote client's resources by IP address? If so then it's just a name resolution issue: if both sites get their IP addresses from the save dhcp server then all should work out of the box. If you have two dhcp servers or are using static addresses then you need to make sure that there is a common DNS Server (unless you are using all mDNS) to tell resources where to find each other. ditto WINS. in the alternative you can use a hosts file

if you can't (ping client resources) then something is wrong with the bridge set up or, more likely there is a firewall in the way.

 

[zuluchas]

Hi, just ran across this article. JPadie, you mentioned that you got this to work as a fully bridged site2site vpn; I am interested in setting up such a configuration, but keep running into snags and don't have the time to trace every possible hangup (firewall, ISP, vpn, config, etc.). Can you post your openvpn config files (or a sanitized version of), a description of your client/server setup (with interfaces, addresses, and a rough diagram of how everything is physically connected)?
I currently have two offices linked with a basic routed openvpn config, but only the two vpn boxes are talking to each other. It's a small setup, so bridging should scale to it just fine and would help with the non-routable protocols. That's my motivation for bridhing -- to make the connection as transparent as possible.
Thanks in advance!