Re: [Vtun-Users] 2 clients 1 server
Status: Inactive
Brought to you by:
mtbishop
From: Michael R. <mic...@rs...> - 2009-12-11 12:46:33
|
Fist of all: You should reply to the List & Me to keep the mailinglist up2date. Am 11.12.2009 12:50, schrieb dorian: > See below: >>> Anyway I would be obliged id you explain me what for is "multi yes" >>> parameter in the server config? >> >> With "multi yes" any client can connect to the VPN-Server with the >> same "profile" and "password". How IPSEC do with the same >> Authentication-Key. Thats ok, when only you have the control about >> all, but it is highly recommended to create 1 profile for each >> connection. >> > Not quite true. > I've setup 2 Linksys in the same way (same session, password, etc) > The only difference were the internal (tunnel) IPs which were 172.16.0.2 > & 172.16.0.3. > The first Linksys established tunnel correctly. > But after switching on the second device I've got the message: > "Can't allocate tap device tap0. Device or resource busy(16)". change the profile declaration "device tap0" to "device tap" and let vtun increment your tap-devices. > Removing profile declaration "device tap0" rescue the matter but each > Linksys creates its own tap then. Correct, this is the right behaviour. Each tunnel needs a unique tunnel-endpoint (tap0, tap1, tap2... tapN). > So I do not see differences between: > a) having two profiles with explicit declaration of "device tapN" and > "multi killold" > and > b) having one profile without "device tap0" and with "multi on" > What is more the (a) is bette since I am controlling the name of the tap > device. Create one profile per connection for security reasons. You can tell vtun to create an explicit "device tapN" or let vtun increment the tap-device "device tap" automaticly. I my topology i have one profile for each client and use "device tap". I don't care about the device allocation. You can see the device-names to each connection-profile-association by running "ps ax | grep 'vtun'" > Therefore I wrote previously that I didn't see the sense of "multi on With "multi-on" and "device tap" you can connect as many clients you need. With the following profile-configuration: up { program "/sbin/ip link set dev %% up"; program "/sbin/ip addr add 0.0.0.0 dev %%"; program "/sbin/brctl addif vpnbr %%"; }; down { program "/sbin/brctl delif vpnbr %%"; }; All clients will bridged together. |