[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Iptables: match by OpenVPN client IP address rather than source address?


  • Subject: Re: [Openvpn-users] Iptables: match by OpenVPN client IP address rather than source address?
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Mon, 15 Jan 2007 23:47:20 +0100

Serge

Serge Wautier wrote:
> Erich,
> 
> Thanks for your reply.
> My actual setup is actually pretty complicated. (That's why I didn't
> describe it upfront). 
> You're right: I know the LAN Ips (Although I'd love not to have to know
> them. You'll see below that it might still be routable based on source(!)
> addresses).
> The trick is that several LANs will share the same IP addressing scheme!
> Yes.
> I'll try to be clear yet as brief as possible:
> 
> Each user owns a remote LAN (actually several but he's allowed to connect to
> one at a time only). He connects (typically using his notebook) to the
> OpenVPN Server and from there to his remote LAN (which is connected by
> OpenVPN as well).

So you have a hub topology with dedicated remote LAN IP's depending on
your users certificate. Some of these subnets share the same address
space. This is not destination routable per se. So you want to introduce
source routes for your clients.

> 
> Main constraints are:
> - Each user can see his remote LAN only. Not the remote LAN of other users.
> - We have no control on remote LAN Ips. Hence we will hit the case where 2
> clients connect simultaneously to their respective LAN... Which share the
> same addresses.

Mhhh.... why don't you just masquerade all the remote LANs to well known
address ranges? You need to manage them anyway, so where is the catch? I
believe that would take the sting off your problem.

Hope I understood your problem.

Erich


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users