Transparent firewall thru OpenVPN site-to-site?



  • I have the site-to-site OpenVPN connection working but I also want to make the remote site use the same IP addresses as the main site as if they are on the same network. Is this possible?

    Couldn't find any info on this topic.



  • Hi
    I don't think its possible since its have to go trough tunnel routing and bridge is the config you desire , i don't see what you benefit with such config
    In contrary you can gain lots troubles in my opinion  with such config lie broadcast storms ,in case one site will be infected with such broadcast worm both site could be infect very rapidly
    hope its answer your question
    Regards



  • The benefit would be to have computers on both sides use one subnet and appear as one network. I can then configure devices on the remote site with that subnet and eventually move the devices from the main site over to the remote site.



  • @francescos:

    The benefit would be to have computers on both sides use one subnet and appear as one network. I can then configure devices on the remote site with that subnet and eventually move the devices from the main site over to the remote site.

    Hi,

    Still not convinced ;) , yet i didn't understand

    move the devices from the main site over to the remote site



  • You can use "tap" mode on your OpenVPN. That will make a bridge. IMHO, there is not that much benefit to a bridge:
    a) Users can browse for network resources as if they were on the LAN (they don't have to already know the names of servers…); and
    b) As you say, you can setup a whole system at the main site, including static IP and test it, then send it to the remote site without having to change anything. (but these days most things use DHCP, so they will happily be handed a suitable IP address anyway when connected at another site)
    Disadvantage: broadcast traffic across the OpenVPN.
    I find that most users end up using a couple of servers/printers/... across the OpenVPN and the names of those resources are soon well known to them. They map drives, have desktop shortcuts, whatever. They don't actually need (a) - browsing of network resources.
    I have always use "tun" (tunnel) mode, for what its worth.



  • Itried switching to tap but get this error:

    openvpn[5474]: WARNING: Since you are using –dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)