[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: new tap device for each connection

  • Subject: Re: [Openvpn-users] Re: new tap device for each connection
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Sat, 19 Nov 2005 21:04:46 +0100 (CET)

On Sat, 19 Nov 2005, Samuel Tardieu wrote:

"Charles" == Charles Duffy <cduffy@xxxxxxxxxxx> writes:

Charles> How about connecting the single tap device to every bridge Charles> but using ebtables rules to block or allow packets from Charles> different clients onto whichever bridge happens to be Charles> appropriate?

Can't the peer send you what it wants on the tunnel and spoof another
client thus sending packets to the wrong bridged interface?

Yes, you are right. OpenVPN does not attempt to block a client spoofing another clients IP adress, basically bacause OpenVPN is then working on layer 2 rather than layer 3 and is not even looking at the IP address.

You can however use a --learn-address script to update your ebtables rules so you can match the mac address of each client. When this script is called you will be given both the CN of the client and the mac address so you can add appropriate ebtables rules.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://openvpn.se/               / \   NO Word docs in e-mail

Openvpn-users mailing list