|
|
Mathias Sundman <Mathias.Sundman@xxxxxxxxxx> said: > > > My plan is that the initial version of the forking daemon will follow > the > > > current OpenVPN model of one process, port, and tun/tap dev for each > tunnel, > > > > why one (server) port for each tunnel? > > each time i have to configure ftp, h323, or similar <bleeep> thru a > firewall > > i become depressive. why repeat mankind's sins over and over... > > > > if you really want to ease things: let there at least be the possibility > for > > the server to receive all connections for all tunnels on the same > port... > > I fully agree with this. Try to make it use only ONE port. > > This is the main reason why I still use ipsec for larger roadwarrier > installations, and use OpenVPN for those with a small number of clients. > > Say you want 50 roadwarriers to connect to a network via OpenVPN. > > Today I need to: > > 1. Configure the clients personal firewall to allow 50 outgoing UDP ports, > given I don´t want individual firewall rules on every client. > > 2. Make sure that the firewall protecting EVERY network that that the > employiee hooks his laptop into, has these 50 ports open! > > A protocoll that negotiate the port to use, would require the firewalls > to understand this protocoll to dynamicly open the right ports, like with > ftp, if you don´t want to open up a wide range of ports. I'm not sure this is true. Consider that most firewalls, upon seeing an outgoing UDP packet fly by on port X, will open up a temporary hole allowing return packets on port X, from the destination address of the outgoing packet. Suppose you have an OpenVPN server listening on one open port. A client connects to the server, then renegotiates a dynamic port. The client opens up the dynamic port and starts sending packets to the server. The server does vice versa. Both firewalls allow the connection, because each side is actively sending packets to the other side. This works if (a) the firewall is stateful and (b) outgoing packets are not filtered. > Like Chris said, don´t do this mistake again! > > If you use fork to spawn new processes, can´t you still use > the same listening port? > Ideally, I´d like OpenVPN to be able to use one port for all clients, > then start several instances of OpenVPN on the server to make it listen > to say, UDP/53 UDP/500, TCP/80, and then tell the client to try them all > if the first fail! Suppose client A is connected to UDP 53. The network hiccups and the client reconnects to TCP 80. But the OpenVPN process on UDP 53 still thinks it's connected to the client, so it holds on to client-specific resources such as return routes or tunnel endpoint addresses. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |