[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Iptables: match by OpenVPN client IP address rather than source address?

  • Subject: Re: [Openvpn-users] Iptables: match by OpenVPN client IP address rather than source address?
  • From: "Serge Wautier" <serge@xxxxxxxxxxx>
  • Date: Tue, 16 Jan 2007 08:43:33 +0100

Erich, Les, thanks for your replies.

NAT won't work for me because the remote LANs contain servers. The goal is
to let users access their servers in their remote LANs.
IP Masquerading won't work either for the same reason (er... Is this true?
I'm a complete newbie to Linux!).

Port Forwarding is what I need. Unfortunately... The boxes used as OpenVPN
clients on the remote LANs don't support it! Please don't tell me to get rid
of them: I'm doing this job on behalf of these boxes' manufacturer :-) It's
a niche market in industrial automation and telemetry.


PS: Erich, Outlook told me that your certificate is either invalid or
untrusted :(

> -----Original Message-----
> From: Erich Titl [mailto:erich.titl@xxxxxxxx] 
> Sent: lundi 15 janvier 2007 23:47
> To: Serge Wautier
> Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] Iptables: match by OpenVPN 
> client IP address rather than source address?
> Serge
> Serge Wautier wrote:
> > Erich,
> > 
> > Thanks for your reply.
> > My actual setup is actually pretty complicated. (That's why 
> I didn't 
> > describe it upfront).
> > You're right: I know the LAN Ips (Although I'd love not to have to 
> > know them. You'll see below that it might still be routable 
> based on 
> > source(!) addresses).
> > The trick is that several LANs will share the same IP 
> addressing scheme!
> > Yes.
> > I'll try to be clear yet as brief as possible:
> > 
> > Each user owns a remote LAN (actually several but he's allowed to 
> > connect to one at a time only). He connects (typically using his 
> > notebook) to the OpenVPN Server and from there to his remote LAN 
> > (which is connected by OpenVPN as well).
> So you have a hub topology with dedicated remote LAN IP's 
> depending on your users certificate. Some of these subnets 
> share the same address space. This is not destination 
> routable per se. So you want to introduce source routes for 
> your clients.
> > 
> > Main constraints are:
> > - Each user can see his remote LAN only. Not the remote LAN 
> of other users.
> > - We have no control on remote LAN Ips. Hence we will hit the case 
> > where 2 clients connect simultaneously to their respective LAN... 
> > Which share the same addresses.
> Mhhh.... why don't you just masquerade all the remote LANs to 
> well known address ranges? You need to manage them anyway, so 
> where is the catch? I believe that would take the sting off 
> your problem.
> Hope I understood your problem.
> Erich

OpenVPN mailing lists