Solved

OpenVPN concept problem

Posted on 2006-07-11
4
346 Views
Last Modified: 2010-04-20
I need some help in some concepts about VPN:

I have two LAN in different cities and i need one computer to access the other one's services (an accounting software in this case). I'll call them LANHOME (the "server" LAN) and LAN-REMOTE (the "client" LAN).

Inside "LAN-HOME" there's a computer named GATEWAY which is a Linux machine providing proxy, email, firewall, etc. There's also a machine called TARGET which has the accounting software we need to allow other users to use.

Inside "LAN-REMOTE" there's also a computer named GATEWAY, also a linux machine providing proxy, firewall, etc. And there's a PC called GUEST which need to access a shared folder in TARGET in "LAN-HOME".

We installed openVPN (2.0.7, the last one i think) in GATEWAY in LAN-HOME.  We designated it as a server and started the service after creating two users according to the manual in openvpn.net.  We copied the ca.crt, client1.crt, client1.csr and client1.key files into GUEST and also installed the openVPN (for windows as GUEST is XPSP2).

We used TUN (modprobe tun) in GATEWAY in LAN-HOME. This is a mandrake 9.1 machine with firewall disabled (just for testing). Actually it shows a lot of stuff and it seesm to connect (at least both client and server show a lot of stuff and finally says: Initialization Sequence Completed. We use 192.168.2.0. network in LAN-HOME and 192.168.10.0 in LAN-REMOTE.  We used 10.8.0.0 for the tunnel (as it said in the manual in openvpn.net). We can ping the tunnel other side (10.8.0.1).

My funny question is: Now what ? afaik, now we have a tunnel from GUEST to GATEWAY in LAN-HOME. Now, how do we "enable" GUEST to access the internal network in LAN-HOME in order to reach TARGET? i read later that this is achieved through bridging. is this true ? if so, then what for is tunneling ? as i remember, bridging requires a big bandwitdh because it sends all trafic from each side to the other one and although seems a good choice, i've read that it requires kernel complie, and lot's of things i don't handle very well (some bridge-utils thing, etc). And again, what for can i use the tunnel i have now ?

Or, the VPN server should be in TARGET and i should forward traffic from port 1197 in GATEWAY in LAN-HOME to TARGET ? wouldn't  this be a problem after the firewall rewrites packets ?

I read also that a TUN adapter is for tunneling (routing) and TAP for bridging. is this true ?

Thanks a lot. As you can see it's more of a concept problem.









0
Comment
Question by:mrxcol
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
slyong earned 50 total points
ID: 17087656
Hi,

It is hard to trouble shoot VPN problem over EE like this but since it is more of a concept problem, I believe by explaining a bit more in details you should be able to get it right.

> Now, how do we "enable" GUEST to access the internal network in LAN-HOME in order to reach TARGET?
You can do it two ways, bridging or routing.  Now youare GATEWAY is like a router (but secured with VPN).  In order for GUEST to read your TARGET, GATEWAY has to do one of the two thing, route the traffic from GUEST's subnet (now 10.8.0.0) to TARGET's subnet (192.168.2.0).  Routing is lighter on the bandwidth but you cannot use things like Windows machine name (not without WINS).  Another way is that you do bridging, that join the two subnet (10.8.0.0 and 192.168.2.0) together.

> I read also that a TUN adapter is for tunneling (routing) and TAP for bridging. is this true ?
TUN and TAP are similar, just that TUN works like Point-to-point interface (like a modem line) and TAP works like an Ethernet interface (ref: http://openvpn.net/papers/BLUG-talk/8.html).  The statement you made is not really correct, if you think about it, you can use Ethernet for routing too.

0
 
LVL 1

Author Comment

by:mrxcol
ID: 17090315
I think i got the concept. But one question comes to my mind:

When we make a VNC connection (like realVNC) what is created ? something like a tunnel ? As i read, a tunnel is like creating a /dev/longcable to /dev/longcable in the other machine and route traffic through it so any specially designed application can utilize this tunnel. If i'm not wrong, this is what VNC does.

But i wonder, isn't this the same as starting a service in target computer (listening on port xxx) and have the other computer connect to it ?

In other words:

- Having a computer connect to other one directly (TCP or UDP) connection.
- Creating a VNC from one computher to other
- creating a VPN (tunnel mode) from one computer to other

is the same thing ? (just that VPN may compress and cypher the data)

Thanks for your help.
0
 
LVL 24

Expert Comment

by:slyong
ID: 17093747
Hi mrxcol,

Hmm.. you concept is right in a way.  Having computers connecting to one another over the internet is all the same.  However VPN has encryption which ensure that the data transmitted in between is safe.  

VNC is a bit different to VPN because VNC is an application to remotely display and transmit the mouse, keyboard information to the remote machine to control it.  I am sure you already know the different, but just make VNC as an example.

Another thing is that if you are on bridging in VPN, you actually appears as you are on the local network.  There is no routing, so you can connect to any computer on LAN-HOME like what you do with the computer on the local network.  (like browse for machines, mount drive on XP, etc).
0
 
LVL 1

Author Comment

by:mrxcol
ID: 17095337
Thanks a lot. Now i'll try to find a way to have this vpw to bridge.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question