[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN and Proxy-ARP

  • Subject: Re: [Openvpn-users] OpenVPN and Proxy-ARP
  • From: /dev/rob0 <rob0@xxxxxxxxx>
  • Date: Wed, 12 Oct 2005 08:22:54 -0500

On Tuesday 2005-October-11 15:49, Joern Krebs wrote:
> (The problem is, if you like to solve this by adding the IP-Address
> of the client to the LAN-Interface of the server, the server "thinks"
> that this IP belongs to himself and does not route the paket, so the
> server has to answer an ARP-Requests (with his own LAN-MAC-Address)
> knowing that this IP-Address does not belong to him. And this
> technique is Proxy-ARP and not solveable by any standard local
> utility. This is why it has to be _in_ the Linux Kernel and not a
> user-level utility.

I don't know. I only have VNC access to Windows. No openvpn to play 
with, but I will try it if I ever get the chance. (Did you try it?) 
GNU/Linux as you mentioned actually does have arp(8), a userspace 
utility which can implement specific ARP table entries.

The kernel sysctl, /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp, merely 
provides an intelligent way to turn on proxy ARP, or ARP replies for IP 
addresses other than the ones locally bound, per interface. Basically 
it says if a host route exists for an IP, and we hear an ARP request on 
$INTERFACE for that IP, we say yes to it, grab the packet and push it 
out our host route.

arp(8) can enable/disable ARP replies per IP, whether or not locally 
bound, and can also do MAC spoofing per IP. Unless I am missing 
something (which would not surprise me because I do not know much about 
it) this is the same thing as proxy ARP. I do know for a fact that I 
can disable the proxy ARP sysctl, and continue to do proxy ARP for my 
openvpn peer ( in the following example):

[I am at room101, logged into miniluv via ssh]

root@miniluv:~# arp -v -Ds eastasia.1984.lan eth0 pub
arp: device `eth0' has HW address ether `00:0D:87:zz:yy:xx'.
root@miniluv:~# arp -a
room101.1984.lan ( at 00:0A:E6:pp:qq:rr [ether] on eth0
telescreen.1984.lan ( at 00:04:76:jj:kk:ll [ether] on eth0
crimethink.1984.lan ( at 00:0F:66:aa:bb:cc [ether] on eth0
eastasia.1984.lan ( at * PERM PUP on eth0
root@miniluv:~# echo 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

[then back at room101]

rob0@room101:~$ ping -c1 eastasia.1984.lan
PING eastasia.1984.lan ( 56(84) bytes of data.
64 bytes from eastasia.1984.lan ( icmp_seq=1 ttl=63 
time=20.6 ms

--- eastasia.1984.lan ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 20.624/20.624/20.624/0.000 ms
rob0@room101:~$ /sbin/arp -a
telescreen.1984.lan ( at 00:04:76:jj:kk:ll [ether] on eth0
eastasia.1984.lan ( at 00:0D:87:zz:yy:xx [ether] on eth0
crimethink.1984.lan ( at 00:0F:66:aa:bb:cc [ether] on eth0
miniluv.1984.lan ( at 00:0D:87:zz:yy:xx [ether] on eth0


arp(8) may be necessary for proxy ARP in situations where there is a 
network route to the host, IIUC. (I am not sure about that.) But it 
also can be used if the administrator for some reason does not want 
proxy ARP on the entire interface.

I had heard that Microsoft swiped, er, I mean INNOVATED, their TCP/IP 
utilities from BSD, which might account for the fact that the syntax 
and functionality tends to be similar to the Unix counterparts. Thus 
I'm holding to the belief that if you had tried this:
    arp -s IP.or.hostname.of.peer 00-aa-00-62-c6-09
your system would have been doing proxy ARP for your peer as the MAC 
address 00:aa:00:62:c6:09[1]. (Note the MS innovation here, to change 
the MAC delimiter : to -. User friendly, not having to hold Shift. :) )

Bottom line here: each of us thinks the other is misunderstanding ARP 
and proxy ARP. NBD. Perhaps one or both of us will come away from this 
with greater understanding. I think I did/will/am. :) "man 7 arp" has 
some interesting parts pertaining to this.

[1] This MAC address taken from the MS Win2KPro "arp.exe /?" example.
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Openvpn-users mailing list