[ previous ] [ next ] [ threads ]
 
 From:  Peter Curran <lists at closeconsultants dot com>
 To:  "Chris Breish" <cbreish at pchelpservice dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] UDP Broadcast over PPTP
 Date:  Mon, 13 Dec 2004 10:06:57 +0000 
Chris

> Is it possible to get this to work with PPTP, or do I have to use IPSEC or
> OpenVPN? 

Broadcasts (and multicasts) do not work over IPsec.  They probably don't work 
over PPTP either.

It is possible to do what you want over OpenVPN - you need to create a vritual 
layer-2 network using TAP style tunnels.  There is some documentation for 
this on the OpenVPN site.  There is not currently any documentation for m0n0 
that covers this particular aspect - to be honest you are only the second 
person to ask for bridged networks over OpenVPN on this list, so it has had 
something of a low priority.

This will work in the current 1.2b3 beta release, BUT ---- I am in the process 
of completely rewriting the internals of m0n0/OpenVPN, and you may want to 
wait until this is done (RSN).

Please watch the list for the availability of the next test release of code 
that should suport your desired functionaility in what will (hopefully) be 
the final mechanism.

> I’ve tinkered with OpenVPN, but haven’t been able to set it up do
> to the current lack of documentation (that I was able to find) for setting
> it up with m0n0wall.  I’ve checked the OpenVPN site and unable to translate
> what I’ve found there into correct m0n0wall settings.  If OpenVPN is the
> way I have to go, is there some sort of guide I can use to get it working
> with m0n0wall?
>

In brief (for 1.2b3) , what you need to do is setup the m0n0 as an OpenVPN 
server using a TAP style tunnel.  Assign a block of IP addresses (eg 
10.1.0.0/24) and define the max number of clients (the default should be 
fine).  Create Server cert and key files, CA cert file and DH parameters file 
(an explanation of how to do this is on   ).  Select a suitable crypto (the 
default Blowfish is fine if you have no hardware accellerator).

Select the 'redirect gateway', 'ping 30 secs' and 'ping-reset 60 secs' push 
options and enable 'client-to-client' routing.

Assuming incoming VPN traffic is on the WAN interface, add a filter rule to 
permit incoming UDP packets to port 5000 from outside.

On your XP machines, download the current release of OpenVPN from the OpenVPN 
site and install.  Create a client cert and key file, provide the ca cert 
file and place in the appropriate directory on windows.  Create a config file 
like this:

 port 5000
 dev tap
 remote [m0n0_IP_or_name]
 tls-client
 ca [name of ca cert file]
 cert [name of client cert file]
 key [name of key file]
 pull
 verb 4
 

This will link all the clients together into a single virtual ethernet - they 
can happily chatter to each other.  If you need to make the LAN interface on 
the m0n0 part of this network it is possible, using bridging, but I suggest 
waiting for the next release of the code as the current version doesn't 
really work well.

Let me know how you get on.

Peter


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.