James Yonan wrote:
On Wed, 15 Dec 2004, Didier Conchaudron wrote:
As written in the man page, --learn-address give me the MAC address
instead of the client virtual IP when using dev tap. The man page also
said that openvpn provide an association between CN, ip and Mac address,
but which association?
In TUN mode, OpenVPN keeps a routing table of client-instance to IP
In TAP mode, the routing table is arranged differently -- it's
client-instance to Ethernet (MAC) address. IP addresses are not used for
routing or client-association purposes in this mode because one cannot
assume that ethernet packets are also IP packets. Somebody might want to
run IPX over ethernet, for example. OpenVPN can do this because it
doesn't care which protocol is being encapsulated within the ethernet
Perhaps I should use tun dev.
I need to apply iptables using IP not MAC... had anybody already deal
with this kind of config?
You need to use ebtables when you are dealing with tap interfaces, not
In general, it's more complicated to do packet-filter-based access control
on bridged ethernet networks because you need to deal with ARPs,
broadcast, spanning tree control packets, etc. This is best left to
ebtables, and you can use OpenVPN's learn-address script to call ebtables
I understand. But is there a way, in tun mode, to listen to remote
client without knowing their ip? in fact a point to point tunnel is
really not my objective, that's why I used tap device.
So is there a way to get the Ip instead of MAC (or make the conversion)
in order to use iptables? I don't know ebtables but it makes more sense
in my architecture to use iptables because we use only IP and nothing