Re: [Openvpn-users] --learn-address don't provide IP for dev tap?

  Subject: Re: [Openvpn-users] --learn-address don't provide IP for dev tap?
  From: James Yonan <jim@xxxxxxxxx>
  Date: Wed, 15 Dec 2004 05:00:38 -0700 (MST)

On Wed, 15 Dec 2004, Didier Conchaudron wrote:

> Hi,
> As written in the man page, --learn-address give me the MAC address 
> instead of the client virtual IP when using dev tap. The man page also 
> said that openvpn provide an association between CN, ip and Mac address, 
> but which association?

In TUN mode, OpenVPN keeps a routing table of client-instance to IP 

In TAP mode, the routing table is arranged differently -- it's
client-instance to Ethernet (MAC) address.  IP addresses are not used for 
routing or client-association purposes in this mode because one cannot 
assume that ethernet packets are also IP packets.  Somebody might want to 
run IPX over ethernet, for example.  OpenVPN can do this because it 
doesn't care which protocol is being encapsulated within the ethernet 

> I need to apply iptables using IP not MAC... had anybody already deal 
> with this kind of config?

You need to use ebtables when you are dealing with tap interfaces, not 

In general, it's more complicated to do packet-filter-based access control 
on bridged ethernet networks because you need to deal with ARPs, 
broadcast, spanning tree control packets, etc.  This is best left to 
ebtables, and you can use OpenVPN's learn-address script to call ebtables 


