[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] OpenVPN 2.0-test27 released

Subject: Re: [Openvpn-users] OpenVPN 2.0-test27 released
From: "James Yonan" <jim@xxxxxxxxx>
Date: Fri, 7 May 2004 19:22:10 -0000

Mathias Sundman <mathias@xxxxxxxxxx> said:

> On Fri, 7 May 2004, James Yonan wrote:
> 
> > Mathias Sundman <mathias@xxxxxxxxxx> said:
> >
> > > On Thu, 6 May 2004, James Yonan wrote:
> > >
> > > > * Source addresses on VPN packets coming from a
> > > >   particular client must be associated with that
> > > >   client in the OpenVPN internal routing table.
> > >
> > > How is protocols other than IP handled? Do they pass or are they dropped?
> > > Perhaps that should be an option?
> >
> > This code is only active when you are running in IPv4 routing mode (i.e.
> > --mode server --dev tun).    When you are running --mode server --dev tap,
> > OpenVPN internally bridges between the server's tap interface and the tap
> > interfaces of all clients, and this source address check will not occur
> > because OpenVPN's internal routing table consists of MAC addresses rather than
> > IPv4 addresses.  And as a bridge, OpenVPN will be scanning packets to "learn"
> > which MAC addresses are associated with which client.
> 
> hmm, then my problem remains, as I'm using tap devices and bridging. Do
> you thing you will add IPv4 source address checking to the bridging code
> in the future, or do you think this problem should be addressed in some
> other way when using bridging?

Probably not.  I think it would add too much complexity to have to deal with a
merged MAC address and IP address routing table.

> 2 other ways I can thing of is:
> 
> 1) Run a seperate openvpn daemon for each group of users that should have
>    the same ruleset and let them come out on diffrent tap devices and
>    apply the ruleset based on tap device instead of IP address.

This would work.

> 2) If it is possible to specify a diffrent tap device for each client in
>    the openvpn server config, then the same as in 1) could be achieved
>    with only one daemon. Is this possible today?

No, the current --mode server code handles the case of many UDP clients to a
single tun/tap interface only.

If you want a one-to-one relationship between clients and tun/tap interfaces,
that's basically the OpenVPN 1.x model (which will still be fully supported in
2.0).

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

References:
- [Openvpn-users] OpenVPN 2.0-test27 released
  - From: James Yonan
- Re: [Openvpn-users] OpenVPN 2.0-test27 released
  - From: James Yonan
- Re: [Openvpn-users] OpenVPN 2.0-test27 released
  - From: Mathias Sundman

Prev by Date: Re: [Openvpn-users] OpenVPN 2.0-test27 released
Next by Date: Re: [Openvpn-users] Road warrior insecure? Or am I missing a crucial point?
Previous by thread: Re: [Openvpn-users] OpenVPN 2.0-test27 released
Next by thread: Re: [Openvpn-users] OpenVPN 2.0-test27 released
Index(es):
- Date
- Thread