[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN 2.0-test27 released

  • Subject: Re: [Openvpn-users] OpenVPN 2.0-test27 released
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Fri, 7 May 2004 19:25:53 +0200 (CEST)
On Fri, 7 May 2004, James Yonan wrote:

> Mathias Sundman <mathias@xxxxxxxxxx> said:
>
> > On Thu, 6 May 2004, James Yonan wrote:
> >
> > > * Source addresses on VPN packets coming from a
> > >   particular client must be associated with that
> > >   client in the OpenVPN internal routing table.
> >
> > How is protocols other than IP handled? Do they pass or are they dropped?
> > Perhaps that should be an option?
>
> This code is only active when you are running in IPv4 routing mode (i.e.
> --mode server --dev tun).    When you are running --mode server --dev tap,
> OpenVPN internally bridges between the server's tap interface and the tap
> interfaces of all clients, and this source address check will not occur
> because OpenVPN's internal routing table consists of MAC addresses rather than
> IPv4 addresses.  And as a bridge, OpenVPN will be scanning packets to "learn"
> which MAC addresses are associated with which client.

hmm, then my problem remains, as I'm using tap devices and bridging. Do
you thing you will add IPv4 source address checking to the bridging code
in the future, or do you think this problem should be addressed in some
other way when using bridging?

2 other ways I can thing of is:

1) Run a seperate openvpn daemon for each group of users that should have
   the same ruleset and let them come out on diffrent tap devices and
   apply the ruleset based on tap device instead of IP address.

2) If it is possible to specify a diffrent tap device for each client in
   the openvpn server config, then the same as in 1) could be achieved
   with only one daemon. Is this possible today?

/Mathias

-- 
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
NILINGS AB                        X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28          / \   NO Word docs in e-mail

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-05/msg00067.html on line 218

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-05/msg00067.html on line 218