[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] 3 questions



OK, right now client-to-client is not enabled, I will get to work on getting
iptables configured.  I know this isn't an iptables forum, but might someone
have an example to allow only one client to cross to the others?


-----Original Message-----
From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Serge
Wautier
Sent: Thursday, May 24, 2007 10:58 AM
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] 3 questions

> As for one client being able to 
> talk to the rest, enable client-to-client on OpenVPN and 
> control who can talk to who with iptables. 

No, it's the opposite: _disable_ client-to-client: It will force traffic to
go to the kernel where iptables can filter it. With client-to-client
enabled, iptables won't be given a chance to perform his job.
Also, in a multi-server scenario, it won't allow connections between clients
connected to different servers.

HTH,

Serge.
http://www.apptranslator.com

> -----Original Message-----
> From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx 
> [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On 
> Behalf Of Ed Russell
> Sent: jeudi 24 mai 2007 16:48
> To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] 3 questions
> 
> I have worked with OSPF before and I will look into this.  Is 
> this my only option to enable client-to-client and then rely 
> on iptables?  I guess I will have to dust off my iptables rules....
> 
> 
> -----Original Message-----
> From: Andrew Good [mailto:agood@xxxxxxxxxxxx]
> Sent: Thursday, May 24, 2007 10:06 AM
> To: Ed Russell
> Subject: Re: [Openvpn-users] 3 questions
> 
> Mr. Russel,
> 
> With the current complexity of your network, 3 servers and 
> 100+ clients, I think it'd be best to start implementing OSPF 
> to take care of your routing. As for one client being able to 
> talk to the rest, enable client-to-client on OpenVPN and 
> control who can talk to who with iptables. This assuming you 
> are using a linux server. I like to test network 
> configurations with VNUML.
> http://www.dit.upm.es/vnumlwiki/index.php/Allexamples
> 
> Andrew
> 
> > My 3 questions are:
> > 
> >  
> > 
> > 1.                  We monitor our systems using Nagios and I would
> > like to be able to have the monitoring server connect to the main 
> > OpenVPN server as a client and be able to "see" each of the clients 
> > via the VPN.  Right now any client can only see the server.  Is it 
> > possible to be able to have one client only be able to 
> reach all the 
> > other clients?  Or will I have to make a global change to 
> allow each 
> > client to get to any other.  Each client has a fixed VPN IP 
> based upon 
> > their ccd file.
> > 
> > 2.                  We are moving to a point where I would 
> like to use
> > a second subnet to separate new clients in a new country.  Up until 
> > now all my clients get a fixed IP in the 10.8.81.x subnet 
> based upon 
> > their ccd file.  How can I now add for instance 10.8.82.x and give 
> > specific clients addresses in this subnet?  Will adding 
> another route 
> > statement in the server configuration like "route 10.8.82.0 
> > 255.255.255.0" work?  If I do this will it have any effect on the 
> > existing 10.8.81.x subnet?
> > 
> > 3.                  This sort of leads out of question number 1.  I
> > have 3 servers running at various places on the Internet, 
> right now I 
> > run all clients on one server but at some point soon I 
> would like to 
> > have clients randomly move between servers.  Should the 
> main server go 
> > down I simply run up the daemon on my backup server and the clients 
> > then move over.  I know how to accomplish this by changing 
> the options 
> > in the client configuration files.  What I would like to know, 
> > assuming #1 is possible (and I'm sure it is) how then could this 
> > "special" client find any other client no matter what server it is 
> > connected to?  I can assume that it could simultaneously connect to 
> > both servers and then "find" the client it wants to monitor from 
> > there.
> > 
> >  
> > 
> > I hope these questions make sense and I have given enough 
> information 
> > to be pointed in the right direction.  If not, let me know 
> what I have 
> > missed and I will be sure to comply.  Thanks in advance.
> > 
> >  
> > 
> > Ed Russell
> > Manager, Information Technology
> > Teriyaki Experience
> > 700 Kerr Street Suite 100
> > Oakville, Ontario L6K 3W5
> > 905-337-7777 x500
> > 905-337-5686 direct
> > 905-580-4566 mobile
> > 905-337-0331 fax
> > erussell@xxxxxxxxxxxxxxxxxxxxxx
> > 
> 
> 
> 
> --------------------------------------------------------------
> -----------
> This SF.net email is sponsored by DB2 Express Download DB2 
> Express C - the FREE version of DB2 express and take control 
> of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users