[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN 2.0-test27 released

  • Subject: Re: [Openvpn-users] OpenVPN 2.0-test27 released
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Fri, 7 May 2004 16:56:52 -0000

Mathias Sundman <mathias@xxxxxxxxxx> said:

> On Thu, 6 May 2004, James Yonan wrote:
> > * Source addresses on VPN packets coming from a
> >   particular client must be associated with that
> >   client in the OpenVPN internal routing table.
> Great! Hey, you move to fast, we could start expecting this kind of rapid
> development from other wendors too ;-)

It was really just a couple lines of code :)

> How is protocols other than IP handled? Do they pass or are they dropped?
> Perhaps that should be an option?

This code is only active when you are running in IPv4 routing mode (i.e.
--mode server --dev tun).    When you are running --mode server --dev tap,
OpenVPN internally bridges between the server's tap interface and the tap
interfaces of all clients, and this source address check will not occur
because OpenVPN's internal routing table consists of MAC addresses rather than
IPv4 addresses.  And as a bridge, OpenVPN will be scanning packets to "learn"
which MAC addresses are associated with which client.

One other current limitation:

--mode server --dev tap requires tap interfaces on both server and client to
have an IP address.


Openvpn-users mailing list