[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] mangeing inteface names with OpenVPN


  • Subject: Re: [Openvpn-users] mangeing inteface names with OpenVPN
  • From: Doug Lytle <support@xxxxxxxxxx>
  • Date: Tue, 07 Dec 2004 20:30:47 -0500

Stephen,

I'm not using Shore wall, so don't know how the zones are handled, but I do know, that for a road warrior type setup, they are using a different virtual Ethernet interfaces. I have 3 tun interfaces, and 1 tap interface. The tap is where the road warriors come into, since they are connecting to the port that I've specified for that tap tunnel. If an end user were to try to connect to any of the other tunnels, it would fail since the settings are not compatible..

I don't think there is any possibility of the situation you've described as happening, since the names are not what the connections are decided by, but the port numbers and the tap or tun configurations.

Doug

Stephen Carville wrote:

Right now I have two point-to-point OpenVPN tunnels connecting a central office wth other sites. I set tehse up based on Tom Easteps instructions at http://www.shorewall.net/OPENVPN.html

To keep things simple, each tunnel has a hard coded name -- vpn0 and vpn1 -- and a corresponding shorewall policy entry:

vpn0    loc     ACCEPT  -
vpn1    loc     ACCEPT  -

Routes at both remote sites direct addresses in zone loc thru the tunnel leaving other destination addresses to be handled by the corresponding remote firewall ruleset.

Soon I will be adding a many-to-one configuration to allow for "road warrior" connections where the default policy may be more restrictive. Is there anyway to be certain that vpn1, vpn2, etc names are not used by the many-to-one config? I am concenred there is a small but non-zero possibility a road warrior could get vpn0 or vpn1 and have complete access to the internal network while a remote network would get a zone name associated with a restricted policy.






____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users