[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] One daemon supporting multiple connections?

  • Subject: Re: [Openvpn-users] One daemon supporting multiple connections?
  • From: "Mathias Sundman" <Mathias.Sundman@xxxxxxxxxx>
  • Date: Mon, 3 Nov 2003 13:57:54 +0100
> > My plan is that the initial version of the forking daemon will follow 
the
> > current OpenVPN model of one process, port, and tun/tap dev for each 
tunnel,
> 
> why one (server) port for each tunnel?
> each time i have to configure ftp, h323, or similar <bleeep> thru a 
firewall
> i become depressive. why repeat mankind's sins over and over...
>
> if you really want to ease things: let there at least be the possibility 
for 
> the server to receive all connections for all tunnels on the same 
port...

I fully agree with this. Try to make it use only ONE port.

This is the main reason why I still use ipsec for larger roadwarrier
installations, and use OpenVPN for those with a small number of clients.

Say you want 50 roadwarriers to connect to a network via OpenVPN.

Today I need to:

1. Configure the clients personal firewall to allow 50 outgoing UDP ports,
   given I don´t want individual firewall rules on every client. 

2. Make sure that the firewall protecting EVERY network that that the
   employiee hooks his laptop into, has these 50 ports open!

A protocoll that negotiate the port to use, would require the firewalls
to understand this protocoll to dynamicly open the right ports, like with
ftp, if you don´t want to open up a wide range of ports.

Like Chris said, don´t do this mistake again!

If you use fork to spawn new processes, can´t you still use
the same listening port?

Ideally, I´d like OpenVPN to be able to use one port for all clients,
then start several instances of OpenVPN on the server to make it listen
to say, UDP/53 UDP/500, TCP/80, and then tell the client to try them all
if the first fail!

That would make the VPN client pass most packet-filtering firewalls.

//Mathias
_____________________________________________________________
Mathias Sundman                  /"\   ASCII Ribbon Campaign
SunGard Availability Services    \ /
Tel:  +46-(0)8-666 32 28          X    NO HTML/RTF in e-mail
Mob:  +46-(0)70-306 63 78        / \   NO Word docs in e-mail

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users