Re: [Openvpn-users] New subnet topology feature ready for testing

[James Yonan <jim@xxxxxxxxx>]

On Thu, 8 Sep 2005, Mathias Sundman wrote:

> On Thu, 8 Sep 2005, James Yonan wrote:
> 
> > But the discussion continued, and more recently we hit upon the idea to
> > use a proxy-ARP mechanism to allow the TAP-Win32 driver to support
> > tun-mode subnets:
> >
> > http://openvpn.net/archive/openvpn-devel/2005-06/msg00017.html
> >
> > The result, which I've just completed, is a patch to 2.0 which
> > supports a new "topology" directive in "dev tun" mode.
> 
> Cool! I was just thinking about this feature a day ago because I had a 
> customer ask me about how to use OpenVPN to tunnel a public IP address 
> over a network using private IP addresses. This feature fits this need 
> perfectly as using /30 subnets waists public IP addresses and --dev tap 
> waists bandwidth with broadcasts and packet overhead.
> 
> A couple of questions:
> 
> What happends with IP broadcasts with this topology? Are they dropped or 
> forwarded to all clients?

This is a still a dev tun, routing-based topology, so it works just as it
does now -- broadcasts would be dropped.

> Does this solve the "security issue" with --dev tap that the IP address 
> wasn't checked if it really belonged to the correct client or not (without 
> using iptables or such todo this check outside of OpenVPN)? I mean does 
> this new topology pass the same checks as normal --dev tun mode?

Yes, it does -- or rather I might say that the issue never existed in dev 
tun mode anyway, and the subnet topology doesn't change this.

> I assume the normal ways of assigning static IP addresses can still be 
> used; ccd files, client-connect scripts and ipp files, right?

Yes, exactly.

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users