[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Peer to peer operation?


  • Subject: Re: [Openvpn-users] Peer to peer operation?
  • From: Cyber Dog <cyberdog3k@xxxxxxxxx>
  • Date: Wed, 19 Oct 2005 12:11:18 -0400

Hi James,
  First, thanks for your reply.  I don't think I was cc'd on John's
response, but he addressed a major concern I have as well:

"If remember correctly, ipsec also works with one ipsec0 device for all
connections. In that prepective it should also be possible for the tun
device used by OpenVPN
I don't want to be rude or so, but the "every OpenVPN tunnel has his own tun
device en port number", as it was in pre 2.0 time, was a major drawback, and
showstopper for a lot of people. And most people don't want to go back that
way. The setup I use, gave me a lot of iptables firewall headage in 1.5-1.6
time...."

First to clear up a point, in the more recent Linux kernels (2.6 at
least), there is no longer _any_ interface associated with IPSec (no
ipsec0).  The fact is, I too find the IPSec p2p implementation much
more convenient.  With a single racoon config file for example, one
can define as many peers as desired (not peers of a single connection,
but with multiple connections).  And at the same time, there is no
restriction regarding port numbers/number of interfaces/etc, all peers
operate on the single designated port.  I think it's rather wasteful
of system resources to be running multiple program instances on
different port numbers and interfaces just to have more than one peer
(if I'm reading this all right).

I'm not trying to be overly critical, in fact I'm finding openvpn to
be an excellent pptp replacement for my use.  I just think from what
I'm hearing it's much more suited to access vpn than site-to-site vpn,
and it might be an issue that should be addressed in future feature
releases.