Re: [Openvpn-devel] Correct Man Page: client-to-client

[Davide Brini]

On Tue, 8 Jan 2013 07:41:59 -0600, Eric Crist 
wrote:

> I'm certain this is the behavior for TAP, but I'll do some due-dilligence
> and generate a few different scenarios and verify.  It's entirely
> possible this behavior is only present with the TAP adapter.  I'll post
> my findings later this week. - Eric F Crist

It's the same for tun and tap in my experience.

-- 
D.

Re: [Openvpn-devel] Correct Man Page: client-to-client

[Eric Crist]

I'm certain this is the behavior for TAP, but I'll do some due-dilligence and 
generate a few different scenarios and verify.  It's entirely possible this 
behavior is only present with the TAP adapter.  I'll post my findings later 
this week.
 
-
Eric F Crist



On Jan 8, 2013, at 02:52:01, Gert Doering  wrote:

> Hi,
> 
> On Mon, Jan 07, 2013 at 09:38:02PM +0100, Davide Brini wrote:
>> The current documentation looks correct to me. When using client-to-client,
>> traffic is not exposed on the tun interface; when not using
>> client-to-client, traffic shows up on the tun interface and can be
>> firewalled (eg with iptales).
> 
> +1
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>   //www.muc.de/~gert/
> Gert Doering - Munich, Germany g...@greenie.muc.de
> fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
> --
> Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
> and more. Get SQL Server skills now (including 2012) with LearnDevNow -
> 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only - learn more at:
> http://p.sf.net/sfu/learnmore_122512___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Correct Man Page: client-to-client

[Gert Doering]

Hi,

On Mon, Jan 07, 2013 at 09:38:02PM +0100, Davide Brini wrote:
> The current documentation looks correct to me. When using client-to-client,
> traffic is not exposed on the tun interface; when not using
> client-to-client, traffic shows up on the tun interface and can be
> firewalled (eg with iptales).

+1

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpxYQjdlPAqv.pgp
Description: PGP signature

Re: [Openvpn-devel] Correct Man Page: client-to-client

[Davide Brini]

On Mon, 7 Jan 2013 14:30:01 -0600, Eric Crist 
wrote:

> This is something I've been meaning to address for quite some time, since
> the documentation is very, very wrong.  I'm not very good at reading the
> code (yet), so please correct me if I'm wrong.  This update is based on
> behavior I've seen and not as much on my ability to read our source.
> 
> The human-readable difference:
> 
> === OLD ===
> Because the OpenVPN server mode handles mutliple clients
> through a single tun or tap interface, it is effectively
> a router.  The --client-to-client flag tells OpenVPN
> to internally route client-to-client traffic rather than
> pushing all client-originating traffic to the TUN/TAP interface.
> 
> When this options is used, each client with "see" the other 
> clients which are currently connected.  Otherwise, each client
> will only see the server.  Don't use this option if you want
> to firewall tunnel traffic using custom, per-client rules.
> 
> === NEW ===
> Because the OpenVPN server mode handles mutliple clients
> through a single tun or tap interface, it is effectively
> a router.  The --client-to-client flag tells OpenVPN
> to allow traffic between clients connected to the VPN.  This
> also exposes the traffic between client to the TUN/TAP
> interface, allow for firewalling on a per-client basis.
> 
> When this options is used, each client with "see" the other 
> clients which are currently connected.

The current documentation looks correct to me. When using client-to-client,
traffic is not exposed on the tun interface; when not using
client-to-client, traffic shows up on the tun interface and can be
firewalled (eg with iptales).

-- 
D.

[Openvpn-devel] Correct Man Page: client-to-client

[Eric Crist]

This is something I've been meaning to address for quite some time, since the 
documentation is very, very wrong.  I'm not very good at reading the code 
(yet), so please correct me if I'm wrong.  This update is based on behavior 
I've seen and not as much on my ability to read our source.

The human-readable difference:

=== OLD ===
Because the OpenVPN server mode handles mutliple clients
through a single tun or tap interface, it is effectively
a router.  The --client-to-client flag tells OpenVPN
to internally route client-to-client traffic rather than
pushing all client-originating traffic to the TUN/TAP interface.

When this options is used, each client with "see" the other 
clients which are currently connected.  Otherwise, each client
will only see the server.  Don't use this option if you want
to firewall tunnel traffic using custom, per-client rules.

=== NEW ===
Because the OpenVPN server mode handles mutliple clients
through a single tun or tap interface, it is effectively
a router.  The --client-to-client flag tells OpenVPN
to allow traffic between clients connected to the VPN.  This
also exposes the traffic between client to the TUN/TAP
interface, allow for firewalling on a per-client basis.

When this options is used, each client with "see" the other 
clients which are currently connected.




diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2ed5201..009aeda 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2987,15 +2987,13 @@ Because the OpenVPN server mode handles multiple clients
 through a single tun or tap interface, it is effectively
 a router.  The
 .B \-\-client-to-client
-flag tells OpenVPN to internally route client-to-client
-traffic rather than pushing all client-originating traffic
-to the TUN/TAP interface.
+flag tells OpenVPN to allow traffic between clients
+connected to the VPN.  This also exposes the traffic between
+clients to the TUN/TAP inteface, allowing for firewalling
+on a per-client basis.
 
 When this option is used, each client will "see" the other
-clients which are currently connected.  Otherwise, each
-client will only see the server.  Don't use this option
-if you want to firewall tunnel traffic using
-custom, per-client rules.
+clients which are currently connected.  
 .\"*
 .TP
 .B \-\-duplicate-cn



-
Eric F Crist