« OpenVPN 2.0 HOWTO-安装篇(翻译) | 首页 | OpenVPN 2.0 HOWTO-安全证书篇(翻译) »

August 14, 2006

OpenVPN 2.0 HOWTO-方式和网络规划篇(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,不当之处,请指出

Determining whether to use a routed or bridged VPN

See FAQ for an overview of Routing vs. Ethernet Bridging. See also the OpenVPN Ethernet Bridging page for more notes and details on bridging.

Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis.

I would recommend using routing unless you need a specific feature which requires bridging, such as:

the VPN needs to be able to handle non-IP protocols such as IPX,
you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.

--------------------------------------------------------------------------------

Numbering private subnets
Setting up a VPN often entails linking together private subnets from different locations.

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (codified in RFC 1918):

10.0.0.0 10.255.255.255 (10/8 prefix)
172.16.0.0 172.31.255.255 (172.16/12 prefix)
192.168.0.0 192.168.255.255 (192.168/16 prefix)

While addresses from these netblocks should normally be used in VPN configurations, it's important to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are:

conflicts from different sites on the VPN using the same LAN subnet numbering, or
remote access connections from sites which are using private subnets which conflict with your VPN subnets.

For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN.

As another example, suppose you want to link together multiple sites by VPN, but each site is using 192.168.0.0/24 as its LAN subnet. This won't work without adding a complexifying layer of NAT translation, because the VPN won't know how to route packets between multiple sites if those sites don't use a subnet which uniquely identifies them.

The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24).

And to avoid cross-site IP numbering conflicts, always use unique numbering for your LAN subnets.

决定VPN是使用路由模式还是网桥模式

我们可以通过看FAQ来了解路由模式和网桥模式的概念.在以太网桥这个页面,我们可以看到更多关于OpenVPN以太网桥模式的信息.

总体来说,对大多数用户来说,路由模式是个更好的选择,它更加容易建立,也更加有效(根据OpenVPN自身的配置),路由模式能根据用户的具体情况提供更加强大的路径控制能力.

我一般建议你使用路由模式,除非是以下特殊的情况,你可以需要使用网桥模式,比如:
• VPN需要被使用在非IP协议的网络上,比如IPX协议的网络,
• 对于你在VPN运行的应用,需要依靠网络广播(比如网络游戏),等
• 不依靠Samba或者WINS服务器,只通过VPN浏览访问共享文件.

私有子网网段的规划

建立VPN往往会把各个地方的私有子网网段连接在一起.

互联网IP地址分配机构(IANA)已经保留了以下3个网段为私有子网网段所用(RFC 1918):
10.0.0.0 10.255.255.255 (10/8 prefix)
172.16.0.0 172.31.255.255 (172.16/12 prefix)
192.168.0.0 192.168.255.255 (192.168/16 prefix)

而这些保留的网段,通常用在VPN的配置中,选择这样的IP网段非常重要,它能减少不同情况的IP冲突,以下情况可能会有冲突,要尽量避免:
• 在VPN不同端使用相同的子网网段会出现冲突,或者
• 远程访问使用的私有网段跟VPN的子网网段冲突.

举个例子, 假如你的内部私网用的是最流行的192.168.0.0/24网段. 现在你在一个咖啡网吧想通过VPN连接你的内部网络,而他们的无限局域网的网段跟你的内部网段是一样的,那你就会碰到路由冲突的问题,因为你的机器没法排断192.168.0.1是指向无线网关的地址还是VPN那端的地址.

另外一个例子,你希望通过VPN连接多个网段,但是每个网段都使用192.168.0.0/24作为它们的局域网网段. 如果通过NAT进行网络地址翻译,这是行不通的, 因为VPN根本不清楚包含多少个网段,如网段不特殊指明.

最好的解决办法是是尽量避免使用类似10.0.0.0/24或者192.168.0.0/24这样的私有网络地址. 相反可以使用一些不经常被无线咖啡馆,机场,酒店使用的网段. 最佳选择是选择10.0.0.0/8的中间网段(比如 10.66.77.0/24).

为了避免交叉的IP冲突,往往需要为你的局域网配置独特的网段.

由 frank 发表于 August 14, 2006 2:54 PM

相关文章

  • OpenVPN 2.0 HOWTO-局域网互访(翻译)
  • openvpn的妙用:wap包月配合openvpn享受掌中宽带
  • OpenVPN的视频
  • OpenVPN 2.0 HOWTO-进程管理和管理接口(翻译)
  • OpenVPN 2.0 HOWTO-初始化测试篇(翻译)

    • 本则 Blog 所属的Tag:

    本网所有文章建立在 创作公用 协议下。版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及以上“创作共用”声明。

    Trackback Pings

    TrackBack URL for this entry:
    http://blog.5ilinux.com/cgi-bin/mt-tb.cgi/63

    文章写得很好, 谢谢!

    我已经转载到我的blog上.

    狂躁的野火 发表于 August 14, 2006 10:02 PM

    发表评论




    是否保存个人讯息?