[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] --learn-address don't provide IP for dev tap?


  • Subject: Re: [Openvpn-users] --learn-address don't provide IP for dev tap?
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Thu, 16 Dec 2004 01:50:04 -0500

On Thu, 16 Dec 2004 06:49:57 +0100 (CET), Mathias Sundman
<mathias@xxxxxxxxxx> wrote:
> On Wed, 15 Dec 2004, Didier Conchaudron wrote:
> 
> > The problem is that, in my understanding, I do have to know client IP in tun
> > mode, eq "ifconfig server_ip client_ip". I can't use that way because I can't
> > know the ip address of the incoming clients. I'm not doing pptp.
> >
> > So my question could be this one: How to use tun mode in order to be able to
> > get several clients without knowing their ip address?
> >
> > I cc my server config, then you can help me to modify it using tun ;-)
> 
> NoNo... You have missunderstood the --ifconfig option in server mode. This

Didier wants to place restrictions based on IP address via IP tables.
>From the man page:

There are three ways a set of client tunnel endpoints can be selected:

1 -- Use --client-connect script generated file for static IP (first choice).
2 -- Use --client-config-dir file for static IP (next choice).
3 -- Use --ifconfig-pool allocation for dynamic IP (last choice).

--ccd-exclusive
    Require, as a condition of authentication, that a connecting
client has a --client-config-dir file.

> only creates a P-t-p used for OpenVPN to communicate with the server
> host operating system internally. Then --ifconfig-pool is used to assign a
> /30 subnet to each client.
> 
> You never need to know the clients IP address in advance, neither with
> --dev tun or --dev tap.
> 
> Here's a modified version of your config for use with --dev tun.
> 
> dev tun
> 
> ifconfig 192.168.0.1  192.168.0.2
> port 443
> proto tcp-server
> 
> user nobody
> group nobody
> persist-key
> 
> tls-server
> dh dh1024.pem
> 
> ca /root/CA/ca.crt
> cert /root/CA/certs/server.crt
> key /root/CA/private/server.key
> 
> crl-verify /root/CA/crl/crl.pem
> 
> tls-verify /root/openvpn/x509-verify.pl
> auth-user-pass-verify /root/openvpn/user-pass.sh via-env
> learn-address /root/openvpn/firewall.pl
> 
> status-version 1
> status /root/openvpn/sessions-status.log 4
> 
> comp-lzo
> verb 3
> 
> mode server
> ifconfig-pool 192.168.0.4 192.168.0.251
> route 192.168.0.0 255.255.255.0
> push "route 10.8.0.1"
> push "redirect-gateway"
> push "ip-win32 dynamic"
> push "dhcp-option DNS x.x.x.x"
> push "dhcp-option DNS y.y.y.y"
> 
> --
> _____________________________________________________________
> Mathias Sundman                  (^)   ASCII Ribbon Campaign
> OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
> http://www.nilings.se/openvpn    / \   NO Word docs in e-mail
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 


-- 
Leonard Isham, CISSP 
Ostendo non ostento.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users