|
||||||||||
Peter, > This effectively pushes EVERYTHING down the tunnel (DNS, DHCP, This is my goal, I want is everything over that wireless link to/from m0n0 to be completely encrypted, I don't want to see DNS traffic passing through wirelessly. In fact, wouldn't any VPN solution want this to happen? People could sniff and all your DNS traffic and then gain insight as to where you are going which would seem to partially defeat the idea of VPN. How does IPSec and PPTP do it? This brings up another question, since I don't have another physical laptop/wifi station at the moment I have tested by putting another wifi interface in my Thinkpad. Now when I sniff my channel from that second interface *I do* see some cleartext traffic going by. Now I imagine this is not being picked up from the air, but from the local machine depending on how the stack or routes are configured? Not a valid test I know but any input on this would be nice. (I saw this when testing PPTP from Linux as well). >specify the redirect-gateway + local push option which is correct for > situation where clients are on the same network as the server. I have this working according to the openvpn client messages on in Windows XP, but I get an error for the redirect-gateway + local push option using the openvpn client on Linux (FC3). [will paste] I will add a section to the doc as to how to configure the client in Linux. Also will try to segment it better to show a local VPN configuration vs a remote VPN configuration. >OpenVPN now has an official port number assigned by IANA (1194). Will the GUI screen mention to add firewall rules or offer to add them automatically when you turn it on? T > You might want to try the local wireless network scenario using TAP I will check this out, I did see that you suggest this in your documentation which I based a lot of what I did off of. TUN seemed to work more clean, and I was also big on setting the configuration to something that can be supported by the most clients, since I plan on having Windows, Mac, and Linux clients using OpenVPN when its all done. > Alse I reccommend TinyCA (http://tinyca.sm-zone.net/) for managing Will there be any GUI tools added to the m0n0 OpenVPN screens to generate all the certs? Thanks for the good work on this, I look forward to the coming updates. http://seigal.com/docs/m0n0-openvpn.html Louis Peter Curran wrote: > Louis > > Good document! > > Couple of pointers for you..... > > You said that your config was for clients on a wireless network on OPT1. It > looks like a good setup for that purpose. One thing to note is that you > specify the redirect-gateway + local push option which is correct for the > situation where clients are on the same network as the server. > > This effectively pushes EVERYTHING down the tunnel (DNS, DHCP, evrything..). > The only thing left going across the real network path is packets to/from > OVPN. > > If you are in a road-warrior scenario with remote users on completely seperate > (not physically connected) networks then this will likely cause many > problems. I suggest that you just do redirect-gateway only. This then > creates a default route via the tunnel, but traffic to the network local to > the client (typically for DNS) does not use the tunnel. > > When the next version of the code is out (still testing but I hope tommorrow) > then there is a port change. OpenVPN now has an official port number > assigned by IANA (1194). > > You might want to try the local wireless network scenario using TAP tunnels as > well - this actually performs better for me and allows me to use bridging to > the LAN interface. > > Alse I reccommend TinyCA (http://tinyca.sm-zone.net/) for managing certs etc. > - it provides a fairly smooth GUI environment and is not too difficult to > use. > > Regards > > Peter > >>http://seigal.com/docs/m0n0-openvpn.html |