[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN 2.0-test27 released

  • Subject: Re: [Openvpn-users] OpenVPN 2.0-test27 released
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Fri, 7 May 2004 18:30:03 -0000

Mathias Sundman <mathias@xxxxxxxxxx> said:

> > > > * Source addresses on VPN packets coming from a
> > > >   particular client must be associated with that
> > > >   client in the OpenVPN internal routing table.
> > >
> > > How is protocols other than IP handled? Do they pass or are they dropped?
> > > Perhaps that should be an option?
> >
> > This code is only active when you are running in IPv4 routing mode (i.e.
> > --mode server --dev tun).    When you are running --mode server --dev tap,
> > OpenVPN internally bridges between the server's tap interface and the tap
> > interfaces of all clients, and this source address check will not occur
> > because OpenVPN's internal routing table consists of MAC addresses rather than
> > IPv4 addresses.  And as a bridge, OpenVPN will be scanning packets to "learn"
> > which MAC addresses are associated with which client.
> Just got another idea. Havn't really thought if it is good or not yet
> but..
> If it would be possible to push a mac address to the client, then you
> could check the source mac address instead of checking the ip address.
> This would solve the problem regardless of which protcol is used above the
> ethernet layer (IPv4, IPv6, IPX etc).

Unfortunately that won't work with Windows clients, because the TAP-Win32
adapter needs to tell Windows its MAC address when the driver is loaded, which
is usually at system startup time.  I don't think that Windows can deal with
adapters that have their MAC addresses change dynamically.

Another alternative is that you can manually set the MAC adapter on Windows
using the adapter advanced properties dialog.


Openvpn-users mailing list