Re: [Openvpn-devel] Correct Man Page: client-to-client

[Davide Brini]

On Mon, 7 Jan 2013 14:30:01 -0600, Eric Crist 
wrote:

> This is something I've been meaning to address for quite some time, since
> the documentation is very, very wrong.  I'm not very good at reading the
> code (yet), so please correct me if I'm wrong.  This update is based on
> behavior I've seen and not as much on my ability to read our source.
> 
> The human-readable difference:
> 
> === OLD ===
> Because the OpenVPN server mode handles mutliple clients
> through a single tun or tap interface, it is effectively
> a router.  The --client-to-client flag tells OpenVPN
> to internally route client-to-client traffic rather than
> pushing all client-originating traffic to the TUN/TAP interface.
> 
> When this options is used, each client with "see" the other 
> clients which are currently connected.  Otherwise, each client
> will only see the server.  Don't use this option if you want
> to firewall tunnel traffic using custom, per-client rules.
> 
> === NEW ===
> Because the OpenVPN server mode handles mutliple clients
> through a single tun or tap interface, it is effectively
> a router.  The --client-to-client flag tells OpenVPN
> to allow traffic between clients connected to the VPN.  This
> also exposes the traffic between client to the TUN/TAP
> interface, allow for firewalling on a per-client basis.
> 
> When this options is used, each client with "see" the other 
> clients which are currently connected.

The current documentation looks correct to me. When using client-to-client,
traffic is not exposed on the tun interface; when not using
client-to-client, traffic shows up on the tun interface and can be
firewalled (eg with iptales).

-- 
D.

[Openvpn-devel] Correct Man Page: client-to-client

[Eric Crist]

This is something I've been meaning to address for quite some time, since the 
documentation is very, very wrong.  I'm not very good at reading the code 
(yet), so please correct me if I'm wrong.  This update is based on behavior 
I've seen and not as much on my ability to read our source.

The human-readable difference:

=== OLD ===
Because the OpenVPN server mode handles mutliple clients
through a single tun or tap interface, it is effectively
a router.  The --client-to-client flag tells OpenVPN
to internally route client-to-client traffic rather than
pushing all client-originating traffic to the TUN/TAP interface.

When this options is used, each client with "see" the other 
clients which are currently connected.  Otherwise, each client
will only see the server.  Don't use this option if you want
to firewall tunnel traffic using custom, per-client rules.

=== NEW ===
Because the OpenVPN server mode handles mutliple clients
through a single tun or tap interface, it is effectively
a router.  The --client-to-client flag tells OpenVPN
to allow traffic between clients connected to the VPN.  This
also exposes the traffic between client to the TUN/TAP
interface, allow for firewalling on a per-client basis.

When this options is used, each client with "see" the other 
clients which are currently connected.




diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2ed5201..009aeda 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2987,15 +2987,13 @@ Because the OpenVPN server mode handles multiple clients
 through a single tun or tap interface, it is effectively
 a router.  The
 .B \-\-client-to-client
-flag tells OpenVPN to internally route client-to-client
-traffic rather than pushing all client-originating traffic
-to the TUN/TAP interface.
+flag tells OpenVPN to allow traffic between clients
+connected to the VPN.  This also exposes the traffic between
+clients to the TUN/TAP inteface, allowing for firewalling
+on a per-client basis.
 
 When this option is used, each client will "see" the other
-clients which are currently connected.  Otherwise, each
-client will only see the server.  Don't use this option
-if you want to firewall tunnel traffic using
-custom, per-client rules.
+clients which are currently connected.  
 .\"*
 .TP
 .B \-\-duplicate-cn



-
Eric F Crist