iso/osi layer model violation

debian GNU/Linux, and open source in general, earn my living on a daily basis. most bizzare combination of tools with just minimum network hardware saved my bottom many times. on the list of most appreciated software besides obvious parts like kernel with its networking code, openssh, apache, php and so on i have to put: openvpn.

1.5 year ago i’ve successfully deployed vpn based on openvpn between swedish hq nad polish branch. later on the same solution was deployed to connect london, ny, paris and frankfurt based branches branches. and was working like a charm. just to give you a brief overview: at both linux boxes where you set up vpn openvpn creates a virtual interfaces tunX. you use tunX just like ordinary physical interface – you assign it ip address and route traffic thru it.

but 3 days ago i was forced to make not-so-usual use of openvpn. there was a need to extend a ethernet network segment from gothenburg and make it available in gdansk. openvpn was the answer. it turned out it’s capable not only of ip level tunneling. it can also bridge network segments on layer2. within 30 minutes i’ve got linux boxes running at both places with configuration taken from and … i was really amazed when computer in gda indeed got ip address assigned by gbg dhcp server and was able to send/receive all the arp requests and other broadcast traffic. it just worked – ethernet over ip tunnel – practical violation of iso/osi ;-].

i’m involved in interconnecting two networks of my former and current employer. it’s a quite challenging exercise, but suddenly all sort of previous net-experience happens to be priceless. we’ve got multilevel nats, overlapping address spaces, proxies of all kinds..

discussing proxies – apache turned out very useful. not everyone knows that it can be not only http server but proxy as well. simple example taken from apache2 config file:

# [...all the usual suspects...]
ProxyPass /something/
ProxyPassReverse /something/

what it does? anyone accessing will actually send requests and get responses from some internal web server. thanks to proxypassreverse directive all hostnames in headers [like absolute addresses in Location response] will be rewritten from to it’s also a nice way to introduce https encryption or more detailed access control [htpasswd] and logging.

and besides all of those networking excitements i’m still sick looking forward to recover completly. and no – sitting for 13h at work does not help. at all. those of my mates who say that i tend to waste most of my life might be righ :/

Leave a Reply

Your email address will not be published. Required fields are marked *

(Spamcheck Enabled)