[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] --learn-address don't provide IP for dev tap?


  • Subject: Re: [Openvpn-users] --learn-address don't provide IP for dev tap?
  • From: Didier Conchaudron <didier@xxxxxxxxxxxxxxx>
  • Date: Wed, 15 Dec 2004 13:45:48 +0100

James Yonan wrote:
On Wed, 15 Dec 2004, Didier Conchaudron wrote:


Hi,

As written in the man page, --learn-address give me the MAC address instead of the client virtual IP when using dev tap. The man page also said that openvpn provide an association between CN, ip and Mac address, but which association?


In TUN mode, OpenVPN keeps a routing table of client-instance to IP address.

In TAP mode, the routing table is arranged differently -- it's
client-instance to Ethernet (MAC) address. IP addresses are not used for routing or client-association purposes in this mode because one cannot assume that ethernet packets are also IP packets. Somebody might want to run IPX over ethernet, for example. OpenVPN can do this because it doesn't care which protocol is being encapsulated within the ethernet frames.

Perhaps I should use tun dev.

I need to apply iptables using IP not MAC... had anybody already deal with this kind of config?


You need to use ebtables when you are dealing with tap interfaces, not iptables.

In general, it's more complicated to do packet-filter-based access control on bridged ethernet networks because you need to deal with ARPs, broadcast, spanning tree control packets, etc. This is best left to ebtables, and you can use OpenVPN's learn-address script to call ebtables dynamically.

I understand. But is there a way, in tun mode, to listen to remote client without knowing their ip? in fact a point to point tunnel is really not my objective, that's why I used tap device.


So is there a way to get the Ip instead of MAC (or make the conversion) in order to use iptables? I don't know ebtables but it makes more sense in my architecture to use iptables because we use only IP and nothing like IPX.

Thanks

Didier