In this recipe, we will use the proxy-arp feature of the Linux kernel to make the VPN clients appear as part of the server-side LAN. This eliminates the need to use bridging, which is desirable in most cases.
We use the following network layout:
This recipe uses the PKI files created in the first recipe of this chapter. For this recipe, we used the server computer that run CentOS 5 Linux and OpenVPN 2.1.1. The client was running Windows XP SP3 and OpenVPN 2.1.1. For the server, one should keep the configuration file basic-udp-server.conf from the recipe Server-side routing at hand. For the Windows client, keep the configuration file, basic-udp-client.ovpn, from the recipe Using an ifconfig-pool block at hand.
- Create the server config file by adding the following lines to the
basic-udp-server.conffile:script-security 2 client-connect /etc/openvpn/cookbook/proxyarp-connect.sh client-disconnect /etc/openvpn/cookbook/proxyarp-disconnect.sh
Save it as
example2-10-server.conf. - Create the
proxyarp-connect.shscript:#!/bin/bash /sbin/arp -i eth0 -Ds $ifconfig_pool_remote_ip eth0 pub
And the
proxyarp-disconnect.shscript.#!/bin/bash /sbin/arp -i eth0 -d $ifconfig_pool_remote_ip
- Make sure that both scripts are executable:
[root@server]# cd /etc/openvpn/cookbook [root@server]# chmod 755 proxyarp-connect.sh [root@server]# chmod 755 proxyarp-disconnect.sh
- Start the server:
[root@server]# openvpn --config example2-10-server.conf - Then, start the Windows client using the OpenVPN GUI:
After the client has successfully connected, the 'arp' table on the OpenVPN server will have a new entry:
10.198.1.130 * * MP eth0
From a machine on the server-side LAN, we can now ping the VPN client:
[siteBclient]C:> ping 10.198.1.130
Note that no special routing is required on the Site B's LAN. The VPN client truly appears as being on the LAN itself.
proxy- arp is a feature supported by most UNIX and Linux kernels. It is used most often for connecting dial-in clients to a LAN, and nowadays also by ADSL and cable Internet providers. When the OpenVPN client connects, an IP address is borrowed from the Site B's LAN range. This IP address is assigned to the OpenVPN client. At the same time, a special ARP entry is made on the OpenVPN server to tell the rest of the network that the OpenVPN server acts as a proxy for IP 10.198.1.130. This means that when another machine on the Site B's LAN wants to know where to find the host with IP 10.198.1.130 then the OpenVPN server will respond (with its own MAC address).
Note that in this example we did not use:
user nobody group nobody
as it would have prevented the proxyarp-* scripts from working. In order to execute the /sbin/arp command, root privileges are required, hence it is not possible to switch to user nobody after the OpenVPN server has started. Alternatively, one can configure sudo access to the /sbin/arp command to circumvent this.
proxy- arp can also be used in a TAP-style network. In combination with an external DHCP server, this gives almost the same functionality as an Ethernet bridging solution without the drawbacks of Ethernet bridging itself.
Sending broadcast traffic over a network where proxy-arp is used is tricky. For most purposes (for example, Windows Network Neighborhood browsing), proxy-arp will work. For some applications that require all clients to be member of a full broadcast domain using proxy-arp might not suffice. In that case, Ethernet bridging is a better solution.
- Chapter 3's recipe, Checking broadcast and non-IP traffic