Re: [Openvpn-users] Capture all traffic in a client-to-client setup
Hi, On Sun, May 19, 2019 at 04:54:36PM +0200, Marc SCHAEFER wrote: > Question 2: would VLAN work in this setup ? I have already deployed VLANs > trunks on ethernet and wifi, but not so far attempted to make the VLAN tagged > frames travel through OpenVPN, is there anything special to do so it works, > or does it automagically works (no VLAN isolation required, just > trunk mode) ? If it is not possible, then I will implement multiple VPNs, > each with its own bridged VLAN. OpenVPN git master has VLAN support now. Clients get grouped by vlan ID, the tap interface to the linux host can be run tagged - like a "classical switch" with 802.1q tagged port. @jjk: tun mode works different from tap mode wrt "no client-to-client" - a layer2 interface will not forward a packet received on a given LAN port back out the same port. A routed port will, if the route points there and ip_forward is enabled. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Capture all traffic in a client-to-client setup
Hello, Thank you for your reply: On Mon, May 20, 2019 at 07:46:11PM +0200, Jan Just Keijser wrote: > you'd have to disable 'client-to-client' , enable IP forwarding on your > server and set up the appropriate routing and iptables rules. Packets should > essentially "leave" openvpn and be handed off to the kernel. The kernel may > then decide to feed them back into OpenVPN (via the tap i/f again) based on > routing rules. Actually this works, if I add: brctl hairpin br0 tap0 on thank you for your suggestion. > as you are running a tap-style network I'd think this should "just work" : > the Linux kernel sees the tap device as "just another ethernet " device . According to this: https://ente.limmat.ch/kb/linux/networking/bonding_vlan_bridge_tap_config.html it should work I haven't tried it yet, though. Have a nice week. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Capture all traffic in a client-to-client setup
Hi Marc, On 19/05/19 16:54, Marc SCHAEFER wrote: Hello, I run a layer 2 (bridging) large OpenVPN network linking ethernet interfaces, wifi interfaces, software bridges, tap interfaces, etc. The idea behind the layer 2 virtual network was for maximum flexibility: it is an educational network where people must collaboratively manage it (including setting up their own DHCP server, WiFi authentification, etc). It works like a charm. As this is an educational network, there are times where I want to see all exchanged traffic, for debugging or illustrative purposes. What I noticed is if "client-to-client" is not enabled, then the layer 2 does not work, and with it enabled, it works, but I don't see inter-client trafic on the main VPN server. Question 1: how may I see inter-client trafic on the main VPN ? you'd have to disable 'client-to-client' , enable IP forwarding on your server and set up the appropriate routing and iptables rules. Packets should essentially "leave" openvpn and be handed off to the kernel. The kernel may then decide to feed them back into OpenVPN (via the tap i/f again) based on routing rules. I have made this work for tun-style networks on Linux and see no reason why it wouldn't also work with tap Question 2: would VLAN work in this setup ? I have already deployed VLANs trunks on ethernet and wifi, but not so far attempted to make the VLAN tagged frames travel through OpenVPN, is there anything special to do so it works, or does it automagically works (no VLAN isolation required, just trunk mode) ? If it is not possible, then I will implement multiple VPNs, each with its own bridged VLAN. as you are running a tap-style network I'd think this should "just work" : the Linux kernel sees the tap device as "just another ethernet " device . However, I do remember that there are some VLAN patches floating around, but I don't know if they still apply and whether they deal with tun or tap. HTH, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Capture all traffic in a client-to-client setup
Hello, I run a layer 2 (bridging) large OpenVPN network linking ethernet interfaces, wifi interfaces, software bridges, tap interfaces, etc. The idea behind the layer 2 virtual network was for maximum flexibility: it is an educational network where people must collaboratively manage it (including setting up their own DHCP server, WiFi authentification, etc). It works like a charm. As this is an educational network, there are times where I want to see all exchanged traffic, for debugging or illustrative purposes. What I noticed is if "client-to-client" is not enabled, then the layer 2 does not work, and with it enabled, it works, but I don't see inter-client trafic on the main VPN server. Question 1: how may I see inter-client trafic on the main VPN ? Question 2: would VLAN work in this setup ? I have already deployed VLANs trunks on ethernet and wifi, but not so far attempted to make the VLAN tagged frames travel through OpenVPN, is there anything special to do so it works, or does it automagically works (no VLAN isolation required, just trunk mode) ? If it is not possible, then I will implement multiple VPNs, each with its own bridged VLAN. Thank your for your input. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
