|
|
On Sat, Jun 23, 2007 at 12:49:01PM -0500, Les Mikesell wrote: > Randall Nortman wrote: [...] > >Put another way, will the server accept packets from a client with a > >source IPA that doesn't match that client's allocated IPA, assuming I > >haven't told the server that the client is a router for another subnet > >(e.g., with the iroute configuration option). > > Network routes don't have to be symmetrical. There's no reason to > assume that just because the server isn't routing certain addresses to a > certain interface that it won't receive packets from that range on the > interface. If you have redundant or fail-over routes you generally > expect that scenario. If you want to control this, set up interfaces > per connection and apply firewalling. I expect hundreds of clients, possibly up to a thousand someday. Having a virtual interface per client with associated firewall rules doesn't seem practical. This would be best handled within OpenVPN itself, I think -- disabled by default, of course, but an option to only accept packets from a client with a source address that matches that client's IPA, or possibly matches a subnet that has been explicitly allowed for that client to route. > Even then you have to consider other sources of spoofed packets, > like the local network or even processes on the local host. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |