From: Jan J. K. <ja...@ni...> - 2007-12-21 15:41:21
|
Marco Fretz wrote: > i think it wont work cause TAP "bridges" the clients together and TUN > with client-to-client routes the clients together... there is no > reason that traffic from client A to client B have to come out of the > tap interface. and so i cant filter with iptables cause the forward > chain only applies to forwarding traffic (from one to another > interface). right? Right, the packet will never "leave" the openvpn server process (if I read the source code correctly). However, the same openvpn source code also has this specific if (m->enable_c2c) { ... } else { ... } block which suggests that it does support the (blocking of) client-to-client traffic. cheers, JJK > > anyways i ll try it :) > > thanks > > Jan Just Keijser wrote: >> From reading the openvpn source code (file multi.c) I'd say that >> client-to-client is treated nearly the same for TAP or TUN >> connections (bridged tap connections are different). Of course, the >> easiest thing to do is to connect 2 clients *without* >> client-to-client and then try to ping each other. >> >> HTH, >> >> JJK >> >> Marco Fretz wrote: >>> hi >>> >>> but this is only in TUN mode isnt it? i cant find anything like >>> client-to-client in TAP mode. but for my needs i have to use TAP >>> instead of TUN >>> >>> thx >>> marco >>> >>> Jan Just Keijser wrote: >>>> hi Marco, >>>> >>>> as long as you don't have the server directive >>>> client-to-client >>>> in your server config file then clients should not be allowed to >>>> connect to each other. >>>> >>>> HTH, >>>> >>>> JJK >>>> >>>> Marco wrote: >>>>> hello >>>>> >>>>> ive got an openvpn server running with TAP. i want to block >>>>> traffic from client A to client B. client A and client B are both >>>>> connected over the same openvpn server process (same server tap >>>>> device) >>>>> is this possible? can i block such traffic with iptables on the >>>>> tap0 interface on the openvpn server? >>>>> >>>>> i think that want be possible cause TAP is like Layer2 and the >>>>> packets may be forwarded inside the opevpn process and not over >>>>> the tap0 device >>>>> >>>>> >>>>> >>>> >> |