[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] --learn-address don't provide IP for dev tap?

  • Subject: Re: [Openvpn-users] --learn-address don't provide IP for dev tap?
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Wed, 15 Dec 2004 08:44:18 -0500

On Wed, 15 Dec 2004 13:45:48 +0100, Didier Conchaudron
<didier@xxxxxxxxxxxxxxx> wrote:
> James Yonan wrote:
> > On Wed, 15 Dec 2004, Didier Conchaudron wrote:
> >
> >
> >>Hi,
> >>
> >>As written in the man page, --learn-address give me the MAC address
> >>instead of the client virtual IP when using dev tap. The man page also
> >>said that openvpn provide an association between CN, ip and Mac address,
> >>but which association?
> >
> >
> > In TUN mode, OpenVPN keeps a routing table of client-instance to IP
> > address.
> >
> > In TAP mode, the routing table is arranged differently -- it's
> > client-instance to Ethernet (MAC) address.  IP addresses are not used for
> > routing or client-association purposes in this mode because one cannot
> > assume that ethernet packets are also IP packets.  Somebody might want to
> > run IPX over ethernet, for example.  OpenVPN can do this because it
> > doesn't care which protocol is being encapsulated within the ethernet
> > frames.
> Perhaps I should use tun dev.
> >>I need to apply iptables using IP not MAC... had anybody already deal
> >>with this kind of config?
> >
> >
> > You need to use ebtables when you are dealing with tap interfaces, not
> > iptables.
> >
> > In general, it's more complicated to do packet-filter-based access control
> > on bridged ethernet networks because you need to deal with ARPs,
> > broadcast, spanning tree control packets, etc.  This is best left to
> > ebtables, and you can use OpenVPN's learn-address script to call ebtables
> > dynamically.
> I understand. But is there a way, in tun mode, to listen to remote
> client without knowing their ip? in fact a point to point tunnel is
> really not my objective, that's why I used tap device.
> So is there a way to get the Ip instead of MAC (or make the conversion)
> in order to use iptables? I don't know ebtables but it makes more sense
> in my architecture to use iptables because we use only IP and nothing
> like IPX.

Step back for a minute by using TAP you are using bridging  bridging
is based on MAC addresses.  If you use TUN you are using routing,
which is based on Network (read IP) adresses.

If you buy a gasoline vehicle you can't just decide to put diesel in
it one day.  You would have to modify the care to use diesel.

If you are intent on using diesel (TUN) the modify/ replace your 
engine for one that uses gasoline (TAP).


Leonard Isham, CISSP
Ostendo non ostento.