[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: topology does work on mac osx with a manual work arround (wasRe: [Openvpn-users] topology subnet 2.1beta7 mac osx - ifconfig: ioctl (SIOCAIFADDR): Destination address required

  • Subject: Re: topology does work on mac osx with a manual work arround (wasRe: [Openvpn-users] topology subnet 2.1beta7 mac osx - ifconfig: ioctl (SIOCAIFADDR): Destination address required
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Fri, 2 Dec 2005 12:59:30 +0100 (CET)
On Thu, 1 Dec 2005, Jon Bendtsen wrote:

However, if i ping a unused IP address i get this:
tcpdump: 16:00:39.564517 IP 192.168.123.34 > 192.168.123.36: icmp 92: redirect 192.168.123.39 to host 192.168.123.39
PING 192.168.123.39 (192.168.123.39): 56 data bytes
92 bytes from 192.168.123.34: Redirect Host(New addr: 192.168.123.39)

I couldn´t stop thinking about this... I must admit I lack some knowledge about tun interface, but I'll make an attempt here to try descibe what I think is happening. Please correct my faults and fill in the gaps.

When you, the OpenVPN client sends a ping to an unused IP in the subnet assigned to your tun interface, this will, according to your route, be sent out on your tun interface.

This will be recieved by the OpenVPN server which sees a ping packet with a dest IP that is unknown for OpenVPN. So what happends then? It´s no ethernet interface so we can´t broadcast any arp request. So, as I see it we can do 3 things.

1) Drop the packet.
2) Send it down to the kernel on the server via the tun interface.
3) Broadcast the packet to all clients (including the server itself).

My guess is that 2 (or maybe 3) is what happends.

Anyway, now the kernel on the OpenVPN server sees a packet comming in the tun interface destinated for an IP that is not it´s own, so it wonders, why did this come here in first place? So it returns an ICMP redirect host msg that tells you that you should have sent it to .39 in the first place.

This all makes sence to me, but what can we do? Is this the way it should be or is there anything we can do about it?

One thought I have is, what if we do 1 instead, we drop packets destinated for unknown IPs (for --dev tun, --topology subnet mode). It is a tun interface so it´s not supposed to be bridged with any other networks, so OpenVPN should know about all IP addresses that are in use already, right?

Cheers // Mathias

--
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://openvpn.se/               / \   NO Word docs in e-mail

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00025.html on line 215

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00025.html on line 215