[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Filter on tap device

  • Subject: Re: [Openvpn-users] Filter on tap device
  • From: Marco Fretz <mailinglist@xxxxxxx>
  • Date: Fri, 04 Jan 2008 22:54:30 +0100


ok thank u for that information. but i think the problem with ebtables 
will be that client-to-client traffic is blocked and ebtables cannot 
forward (after passing the filter rules). or am i wrong?

the problem is that openvpn does this client-to-client forwarding inside 
the openvpn process. such client-to-client traffic wont leave the tap0 
(where the ebtables is applied) interface. right?

but anywasys ill have a look at ebtables. thanks

i cannot code C :( shame on me :(

another idea was, to start an openvpn process for each client and then i 
can filter / bridge between the clients with brctl and ebtables.

as u maybe know i need the following: about 5-10 "groups" of clients. 
all clients in the same group should "see" each other. clients from 
group1 and group2 a.e. must not see each other.

is it possible to run about 10 openvpn instances with about 100 clients 
in TAP mode?

thanks and kind regards

Prasanna Krishnamoorthy schrieb:
> On Jan 4, 2008 6:06 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
>> Hi Marco,
>> please explain:
>> "with Client-to-client deactivated all clients can only see the server"
>> that's exactly what it is supposed to do... this means all
>> client-to-client traffic IS blocked. Isn't that what you wanted?
>> I agree, filtering client-to-client traffic is not possible (either in
>> tun or tap mode) but blocking is definitely possible. Note that blocking
>> client-to-client traffic will and should also imply that all
>> broadcast/multicast traffic is blocked. That's the way it is supposed to
>> work ;-)
> This should be possible. What you need is not iptables, but ebtables!
> Iptables as the name suggests, will allow you to filter only IP
> packets :). Ebtables on the other hand is built for bridging. I
> suggest you set client-to-client off, and use shorewall/ebtables to
> setup the filtering on the appropriate interface(s).
> http://ebtables.sourceforge.net/
> Prasanna

Openvpn-users mailing list