Re: [Openvpn-devel] [PATCH] Add 1:1 network mapping option (--netmap)

Mon, 10 Sep 2012 15:24:21 +0000 

There no difference, it's exactly the same feature.
The next time I promise to check better before implementing something that 
already exist.
Sorry,
Andrea Bonomi
:: e n d i a n
:: security with passion

:: andrea bonomi
:: http://www.endian.com  :: a.bon...@endian.com

On 10/set/2012, at 16:49, David Sommerseth wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/09/12 15:38, Andrea Bonomi wrote:
>> Dear Developers, I developed a patch for implementing 1:1 NAT
>> (something similar to the iptables NETMAP target). This is useful
>> in situations when you have the same (private) network address
>> behind clients. For example, consider the following scenario:
>> 
>> -lan1--192.168.0.0/24--      -lan2--192.168.0.0/24-- |
>> | gw1 192.168.0.1              gw2 192.168.0.1 |
>> | [tunnel]-----OpenVPN server---[tunnel] | [tunnel] | clients…
>> 
>> The clients have to access to both the machines in lan1 and lan2, 
>> This patch allow to map all the address of a network, e.g. [to g1]
>> push "netmap 172.16.1.0/24 192.168.0.0/24" [to g2] push "netmap
>> 172.16.2.0/24 192.168.0.0/24" The clients can access to, e.g.
>> 192.168.0.79 on lan1 using the IP 172.16.1.79.
> 
> Hi Andrea,
> 
> First of all, thanks a lot for your efforts here!  I just have one
> question ... how does this differ from the --client-nat feature in the
> code base for OpenVPN v2.3?  (git master or alpha releases)
> 
> - From the man page:
> 
>       --client-nat snat|dnat network netmask alias
>              This pushable client option sets up  a  stateless
>              one-to-one  NAT  rule  on  packet  addresses (not
>              ports), and is useful in cases  where  routes  or
>              ifconfig settings pushed to the client would cre?
>              ate an IP numbering conflict.
> 
>              network/netmask           (for            example
>              192.168.0.0/255.255.0.0)  defines  the local view
>              of a resource from the client perspective,  while
>              alias/netmask (for example 10.64.0.0/255.255.0.0)
>              defines the remote view from the server  perspec?
>              tive.
> 
>              Use  snat (source NAT) for resources owned by the
>              client and  dnat  (destination  NAT)  for  remote
>              resources.
> 
>              Set  --verb  6  for  debugging  info  showing the
>              transformation of src/dest addresses in packets.
> 
> 
> kind regards,
> 
> David Sommerseth
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAlBN/eUACgkQDC186MBRfrqGzACfWvH91GXH6+Jc0EQ42conCEhZ
> IqQAoKojc8X/H0kn4wyFQtIKzhyzND9f
> =BrY7
> -----END PGP SIGNATURE-----

Reply via email to