OpenVPN - Static IP addresses
-
It should go without mentioning since I'm concerned about DHCP, but just to be clear, this is a tap/bridging config. I NEED broadcasts to pass over the vpn.
-
You might be able to just add a block for udp/67-68 on the OpenVPN interface firewall rules on each end to block DHCP from going over the tunnel.
Bridging for site-to-site is rather ugly though, and usually avoidable.
-
If I do that… will it block the initial dhcp request that the far side router will send? I had thought about blocking those ports altogether, but wanted to make sure that initial request wasnt blocked.
Thanks for the reply.
-
If you block both udp 67 and 68 it will catch any DHCP. Even though it's broadcast it's still sent from/to those ports.
-
Right, so when the client side router attempts to get an ip address from my dhcp server when it first connects it will get blocked. Which is why I was hoping for a static.
Can this be achieved in the client config?
-
Well if each router has DHCP setup on its own LAN, it will get DHCP from its own LAN.
There isn't anything to setup on the "client" in OpenVPN to control this.
You can set OpenVPN to supply a subset of DHCP addresses on its own (see the notes in the GUI with the tap fix patch applied) with server-bridge but if you have two separate networks each with DHCP you just want to block DHCP on the VPN and let the LAN interfaces handle it, just make sure each of you is using unique pools inside the same subnet.
-
The thing that had me worried about that scenario was the slight chance one of us picks up a DHCP lease form the other. Its not so much the pool that I'm worried about. Thats easy enough to configure. What I was worried about is the other one picking up gateway information from the dhcp. thats the troublesome part. Then our internet is actually routed through the other persons router and sent back out through the VPN. Gaming, streaming video, watching youtube… we'd run into a big bottleneck.
What if i forget about an incoming rule and set up a rule that blocks outgoing DHCP. We do this on both ends and no dhcp junk goes over the vpn.
Source would be LAN Subnet
Desitnation would be OpenVPN Tap Subnet.
Ports would be 67/68.Would it work best to set this rule on the LAN interface of the OpenVPN interface.
This sound better?
-
no, source * dst *, udp 67 to 68. Don't bother putting a source or destination. Block it on the OpenVPN interface, not on LAN.
-
Why are you going with bridged vs. routed?
-
One word. Broadcasts.
-
Yes, I get that, you want broadcasts to traverse the VPN, but what's your end game? What are you trying to set up that you think won't (or doesn't) work with a routed solution?