[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN 2.0-test27 released

  • Subject: Re: [Openvpn-users] OpenVPN 2.0-test27 released
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Fri, 7 May 2004 19:22:10 -0000

Mathias Sundman <mathias@xxxxxxxxxx> said:

> On Fri, 7 May 2004, James Yonan wrote:
> > Mathias Sundman <mathias@xxxxxxxxxx> said:
> >
> > > On Thu, 6 May 2004, James Yonan wrote:
> > >
> > > > * Source addresses on VPN packets coming from a
> > > >   particular client must be associated with that
> > > >   client in the OpenVPN internal routing table.
> > >
> > > How is protocols other than IP handled? Do they pass or are they dropped?
> > > Perhaps that should be an option?
> >
> > This code is only active when you are running in IPv4 routing mode (i.e.
> > --mode server --dev tun).    When you are running --mode server --dev tap,
> > OpenVPN internally bridges between the server's tap interface and the tap
> > interfaces of all clients, and this source address check will not occur
> > because OpenVPN's internal routing table consists of MAC addresses rather than
> > IPv4 addresses.  And as a bridge, OpenVPN will be scanning packets to "learn"
> > which MAC addresses are associated with which client.
> hmm, then my problem remains, as I'm using tap devices and bridging. Do
> you thing you will add IPv4 source address checking to the bridging code
> in the future, or do you think this problem should be addressed in some
> other way when using bridging?

Probably not.  I think it would add too much complexity to have to deal with a
merged MAC address and IP address routing table.

> 2 other ways I can thing of is:
> 1) Run a seperate openvpn daemon for each group of users that should have
>    the same ruleset and let them come out on diffrent tap devices and
>    apply the ruleset based on tap device instead of IP address.

This would work.

> 2) If it is possible to specify a diffrent tap device for each client in
>    the openvpn server config, then the same as in 1) could be achieved
>    with only one daemon. Is this possible today?

No, the current --mode server code handles the case of many UDP clients to a
single tun/tap interface only.

If you want a one-to-one relationship between clients and tun/tap interfaces,
that's basically the OpenVPN 1.x model (which will still be fully supported in


Openvpn-users mailing list