On Sun, 27 Dec 2020 21:34:33 +0000
Chris Green  wrote:

> Joe  wrote:
> > On Sun, 27 Dec 2020 20:28:52 +0000
> > Chris Green  wrote:
> >
> > > Tauno Voipio  wrote:
> >
> > > >
> > > > You have also a need to provide routing from the internal
> > > > network to the OpenVPN daemon for the subnet (or host) to
> > > > tunnel via the VPN.
> > > Ay?  I'm not at all sure what you mean by this.
> > >
> >
> > I think what he means is that using a VPN from a single computer
> > doesn't need any routing changes, but if you want one computer to
> > handle VPN for other local computers, and the VPN machine is not the
> > network's default gateway, then you need to tell the other computers
> > that the VPN computer is the gateway to the distant network. The
> > simplest way is with a DCHP configuration. I recall using a Win2000
> > workstation as a VPN server for a remote office and needing to do
> > this.
> Hmm!!  I don't see how that makes sense.  'Using VPN from a single
> computer' when the 'single computer' is on a LAN - but then it all
> goes to pot doesn't it?  Either the computer is on one's LAN or it's
> in a VPN with the remote but it can't really do both can it?
>
Yes, it can. A VPN client behaves as a computer with two (or more)
network interfaces. A single workstation client will by default route
its outgoing packets to its VPN client software for transmission down
the tunnel (obviously except the VPN protocol packets themselves,
which are routed as normal through the computer's hardware network
interface), but the hardware interface can still accept packets from
other local computers, and may be configured to also route some or all
of them into the VPN. It's also obvious why the network address for
local LAN and remote network must be different, having the same network
address on two interfaces of the same computer never works well.

Three VPN scenarios:

1) Default gateway router is a VPN client to a remote network. All
outgoing packets (except the VPN protocol itself) go through the VPN.
All computers using the router automatically use the VPN with no change
in routing necessary.

2) Single workstation is the VPN client. All its packets route through
the VPN. No routing change required. All other computers in the local
LAN unaffected.

3) Computer within the LAN (i.e. not the default gateway) is the VPN
client to the remote network. Other local computers which wish to use
the VPN must treat the VPN client as the gateway to the remote
network(s), so a routing change in the client is required, as well as
enabling IP forwarding in the VPN computer and possibly adjusting its
firewall.

The first and last are 'site-to-site' VPNs, handling multiple clients.
Best done by scenario 1), but can be done by 3) if the gateway cannot
be a client of the VPN type required. Most modern routers can be client
or server to some VPN types e.g. IPSec and PPTP, but not usually
OpenVPN.

Note that many types of VPN (e.g. IPSec and PPTP) can only support one
tunnel between a given pair of IP addresses. OpenVPN can use any port,
so multiple tunnels are allowed, but IPSec and PPTP both use a TCP
control channel and another IP protocol which does not have the concept
of ports. So two or more workstations within the same (NATed) LAN must
use site-to-site to reach the same remote network if using one of these
VPN types.

--
Joe

--- SoupGate-Win32 v1.05