|
|
Mathias, That's a good point -- right now the server doesn't do any source address checking on client -> server packets. And I agree with you that the source address should be checked. I think the way to do this is that a source address will only be accepted from a particular client if OpenVPN's internal routing table has an association between that address and the client, either through the client's server-assigned ifconfig address or --iroute routes on the server. James Mathias Sundman <mathias@xxxxxxxxxx> said: > I'm currently using OpenVPN 1.6 to connect several windows users to a > local network using linux and bridging on the server. > > With this I can have diffrent iptables rules for every user as they come > in on a diffrent tap device. > > Now I'm thinking of switching to 2.0, and push an individual config file > to each user, to be able to do ip filtering with iptables based on the > source IP address. > > What I wonder now is, is there anything in openvpn that prevents a user > from changing his openvpn config to use a fixed (--ifconfig xxx) IP > address instead of pulling the config from the server? > > Or what if the user change his IP address on the tap device to a static IP > address, that normaly belong to a user with access to more resources to > the local network? > > Will OpenVPN drop packets from this user then, if they do not contain the > source IP address that was pushed to the user? > > If not, how should I address this problem? > > /Mathias > > -- > ____________________________________________________________ > Mathias Sundman (^) ASCII Ribbon Campaign > NILINGS AB X NO HTML/RTF in e-mail > Tel: +46-(0)8-666 32 28 / \ NO Word docs in e-mail > > > ------------------------------------------------------- > This SF.Net email is sponsored by Sleepycat Software > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver > higher performing products faster, at low TCO. > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-05/msg00032.html on line 238 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-05/msg00032.html on line 238 |