Wireless Masochism

Andrew McNabb amcnabb at mcnabbs.org
Tue Jul 5 14:23:36 MDT 2005


For the sake of clear communication, I'd like to point out that whenever
someone mentions OpenVPN, I assume they're talking about tun (IP) rather
than tap (ethernet), unless they specifically say otherwise.  This is a
good assumption, since IP over VPN is much more efficient and much more
common than ethernet over VPN.


On Tue, Jul 05, 2005 at 02:04:27PM -0600, Hans Fugal wrote:
> > You don't want to use DHCP over a VPN.  
> 
> Sometimes you do.

Please give me an example or two.


> > The VPN software does everything you would want DHCP to do.  
> 
> You mean like dynamic DNS? If a VPN is duplicating all the behavior of a
> DHCP server we have a serious violation of the "don't reinvent the
> wheel" syndrome. 

I'm sorry.  I don't quite understand what you said here.  I don't see
the connection between dynamic DNS and DHCP.


> I think OpenVPN goes too far in DHCP-server emulation, but I admit
> it's a hard line to draw.

OpenVPN does not emulate DHCP in any way.  It gives you a dynamic IP
address, but that has nothing to do with DHCP.  The purpose of DHCP is
to automatically discover network configuration over ethernet.  DHCP is
by no means a generalized means of configuring networks, and it is
poorly adapted to OpenVPN (for example, due to problems with Windows,
each OpenVPN node needs a space of four IP addresses).  With an OpenVPN
connection, the peers know enough about each other that a
start-from-scratch protocol like DHCP is inefficient.

> It is very nice that you don't have to set up a DHCP server to do the
> basics (give me an IP address, set up routes and nameservers).
> Unfortunately a side effect of this is that anytime someone asks about
> using a DHCP server in an OpenVPN setup, people just blast them with
> "why are you doing that, moron?" And, if you do buy into it, you end
> up administering both a DHCP server and OpenVPN, and we all know that
> repeating yourself is to be avoided wherever possible.
> 
> I've done it, and it's useful. Unless you're as crazy as me, though, you
> probably won't feel the need. :-) But it works great (over tap, of
> course, although it should work over tun if you hack up some sort of
> DHCP relay thingie).

There are two types of network designs here, and maybe the main problem
here is confusion between the two of them.  Tun is the "standard" way of
doing things.  All it's doing is IP over VPN.  Tap, on the other hand,
is Ethernet over VPN.  It is much less efficient, and you should avoid
it unless you have a good reason (gaming is the main one).

With tap, you're doing ethernet, so DHCP makes lots of sense.  However,
in the standard OpenVPN method, tun, DHCP makes very little sense.


-- 
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050705/b69b83a6/attachment.bin 


More information about the PLUG mailing list