Re: [Openvpn-devel] Correct Man Page: client-to-client
On Tue, 8 Jan 2013 07:41:59 -0600, Eric Cristwrote: > I'm certain this is the behavior for TAP, but I'll do some due-dilligence > and generate a few different scenarios and verify. It's entirely > possible this behavior is only present with the TAP adapter. I'll post > my findings later this week. - Eric F Crist It's the same for tun and tap in my experience. -- D.
Re: [Openvpn-devel] Correct Man Page: client-to-client
I'm certain this is the behavior for TAP, but I'll do some due-dilligence and generate a few different scenarios and verify. It's entirely possible this behavior is only present with the TAP adapter. I'll post my findings later this week. - Eric F Crist On Jan 8, 2013, at 02:52:01, Gert Doeringwrote: > Hi, > > On Mon, Jan 07, 2013 at 09:38:02PM +0100, Davide Brini wrote: >> The current documentation looks correct to me. When using client-to-client, >> traffic is not exposed on the tun interface; when not using >> client-to-client, traffic shows up on the tun interface and can be >> firewalled (eg with iptales). > > +1 > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany g...@greenie.muc.de > fax: +49-89-35655025g...@net.informatik.tu-muenchen.de > -- > Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS > and more. Get SQL Server skills now (including 2012) with LearnDevNow - > 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only - learn more at: > http://p.sf.net/sfu/learnmore_122512___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Correct Man Page: client-to-client
Hi, On Mon, Jan 07, 2013 at 09:38:02PM +0100, Davide Brini wrote: > The current documentation looks correct to me. When using client-to-client, > traffic is not exposed on the tun interface; when not using > client-to-client, traffic shows up on the tun interface and can be > firewalled (eg with iptales). +1 gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpxYQjdlPAqv.pgp Description: PGP signature
Re: [Openvpn-devel] Correct Man Page: client-to-client
On Mon, 7 Jan 2013 14:30:01 -0600, Eric Cristwrote: > This is something I've been meaning to address for quite some time, since > the documentation is very, very wrong. I'm not very good at reading the > code (yet), so please correct me if I'm wrong. This update is based on > behavior I've seen and not as much on my ability to read our source. > > The human-readable difference: > > === OLD === > Because the OpenVPN server mode handles mutliple clients > through a single tun or tap interface, it is effectively > a router. The --client-to-client flag tells OpenVPN > to internally route client-to-client traffic rather than > pushing all client-originating traffic to the TUN/TAP interface. > > When this options is used, each client with "see" the other > clients which are currently connected. Otherwise, each client > will only see the server. Don't use this option if you want > to firewall tunnel traffic using custom, per-client rules. > > === NEW === > Because the OpenVPN server mode handles mutliple clients > through a single tun or tap interface, it is effectively > a router. The --client-to-client flag tells OpenVPN > to allow traffic between clients connected to the VPN. This > also exposes the traffic between client to the TUN/TAP > interface, allow for firewalling on a per-client basis. > > When this options is used, each client with "see" the other > clients which are currently connected. The current documentation looks correct to me. When using client-to-client, traffic is not exposed on the tun interface; when not using client-to-client, traffic shows up on the tun interface and can be firewalled (eg with iptales). -- D.
[Openvpn-devel] Correct Man Page: client-to-client
This is something I've been meaning to address for quite some time, since the documentation is very, very wrong. I'm not very good at reading the code (yet), so please correct me if I'm wrong. This update is based on behavior I've seen and not as much on my ability to read our source. The human-readable difference: === OLD === Because the OpenVPN server mode handles mutliple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface. When this options is used, each client with "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. === NEW === Because the OpenVPN server mode handles mutliple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to allow traffic between clients connected to the VPN. This also exposes the traffic between client to the TUN/TAP interface, allow for firewalling on a per-client basis. When this options is used, each client with "see" the other clients which are currently connected. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2ed5201..009aeda 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2987,15 +2987,13 @@ Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The .B \-\-client-to-client -flag tells OpenVPN to internally route client-to-client -traffic rather than pushing all client-originating traffic -to the TUN/TAP interface. +flag tells OpenVPN to allow traffic between clients +connected to the VPN. This also exposes the traffic between +clients to the TUN/TAP inteface, allowing for firewalling +on a per-client basis. When this option is used, each client will "see" the other -clients which are currently connected. Otherwise, each -client will only see the server. Don't use this option -if you want to firewall tunnel traffic using -custom, per-client rules. +clients which are currently connected. .\"* .TP .B \-\-duplicate-cn - Eric F Crist