[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Filter on tap device

  • Subject: Re: [Openvpn-users] Filter on tap device
  • From: Marco Fretz <mailinglist@xxxxxxx>
  • Date: Fri, 21 Dec 2007 15:13:44 +0100

ok, i ll try it and give feedback to the mailinglist.

i think it wont work cause TAP "bridges" the clients together and TUN 
with client-to-client routes the clients together... there is no reason 
that traffic from client A to client B have to come out of the tap 
interface. and so i cant filter with iptables cause the forward chain 
only applies to forwarding traffic (from one to another interface). right?

anyways i ll try it :)


Jan Just Keijser wrote:
> From reading the openvpn source code (file multi.c) I'd say that 
> client-to-client is treated nearly the same for TAP or TUN connections 
> (bridged tap connections are different). Of course, the easiest thing 
> to do is to connect 2 clients *without* client-to-client and then try 
> to ping each other.
> HTH,
> Marco Fretz wrote:
>> hi
>> but this is only in TUN mode isnt it? i cant find anything like 
>> client-to-client in TAP mode. but for my needs i have to use TAP 
>> instead of TUN
>> thx
>> marco
>> Jan Just Keijser wrote:
>>> hi Marco,
>>> as long as you don't have the server directive
>>>  client-to-client
>>> in your server config file then clients should not be allowed to 
>>> connect to each other.
>>> HTH,
>>> JJK
>>> Marco wrote:
>>>> hello
>>>> ive got an openvpn server running with TAP. i want to block traffic 
>>>> from client A to client B. client A and client B are both connected 
>>>> over the same openvpn server process (same server tap device)
>>>> is this possible? can i block such traffic with iptables on the 
>>>> tap0 interface on the openvpn server?
>>>> i think that want be possible cause TAP is like Layer2 and the 
>>>> packets may be forwarded inside the opevpn process and not over the 
>>>> tap0 device

Openvpn-users mailing list