[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Filter on tap device


  • Subject: Re: [Openvpn-users] Filter on tap device
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Fri, 21 Dec 2007 16:41:12 +0100

Marco Fretz wrote:
> i think it wont work cause TAP "bridges" the clients together and TUN 
> with client-to-client routes the clients together... there is no 
> reason that traffic from client A to client B have to come out of the 
> tap interface. and so i cant filter with iptables cause the forward 
> chain only applies to forwarding traffic (from one to another 
> interface). right?

Right, the packet will never "leave" the openvpn server process (if I 
read the source code correctly).
However, the same openvpn source code also has this specific
  if (m->enable_c2c) { ... } else { ... }
block which suggests that it does support the (blocking of) 
client-to-client traffic.

cheers,

JJK

>
> anyways i ll try it :)
>
> thanks
>
> Jan Just Keijser wrote:
>> From reading the openvpn source code (file multi.c) I'd say that 
>> client-to-client is treated nearly the same for TAP or TUN 
>> connections (bridged tap connections are different). Of course, the 
>> easiest thing to do is to connect 2 clients *without* 
>> client-to-client and then try to ping each other.
>>
>> HTH,
>>
>> JJK
>>
>> Marco Fretz wrote:
>>> hi
>>>
>>> but this is only in TUN mode isnt it? i cant find anything like 
>>> client-to-client in TAP mode. but for my needs i have to use TAP 
>>> instead of TUN
>>>
>>> thx
>>> marco
>>>
>>> Jan Just Keijser wrote:
>>>> hi Marco,
>>>>
>>>> as long as you don't have the server directive
>>>>  client-to-client
>>>> in your server config file then clients should not be allowed to 
>>>> connect to each other.
>>>>
>>>> HTH,
>>>>
>>>> JJK
>>>>
>>>> Marco wrote:
>>>>> hello
>>>>>
>>>>> ive got an openvpn server running with TAP. i want to block 
>>>>> traffic from client A to client B. client A and client B are both 
>>>>> connected over the same openvpn server process (same server tap 
>>>>> device)
>>>>> is this possible? can i block such traffic with iptables on the 
>>>>> tap0 interface on the openvpn server?
>>>>>
>>>>> i think that want be possible cause TAP is like Layer2 and the 
>>>>> packets may be forwarded inside the opevpn process and not over 
>>>>> the tap0 device
>>>>>
>>>>>
>>>>>   
>>>>
>>

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users