|
|
"Kevin P. Fleming" <kpfleming@xxxxxxxxxxxxxxxxxxxx> said: > James Yonan wrote: > > > * Connecting clients can now have a client-specific > > configuration on the server, based on the client > > common name embedded in the client certificate. > > See --client-config-dir and --client-connect. > > These options can be used to configure client-specific > > routes. > > This is very, very cool. > > > * Added an option --client-to-client that enables > > internal client-to-client routing or bridging. > > Otherwise, clients will only "see" the server, > > not other connected clients. > > I had a weird idea the other day: how hard would it be for OpenVPN to > use _two_ tun interfaces on the server instead of one, with all received > traffic coming into one of them and all outbound traffic going out the > other? This would alleviate the need for OpenVPN to do routing/bridging > at all (the host OS could still do it), but still keeps the number of > interfaces down. It also allows the host to do filtering between the > connected clients, without needing an interface for each connected client. I don't think this would solve the problem because OpenVPN would still need to route outbound traffic from one tun/tap interface to a potentially large set of clients. The need for OpenVPN to internally route or bridge doesn't go away unless you have a one-to-one correspondence between clients and tun/tap interfaces on the server, like you do with 1.x. In fact in think this one-to-one correspondence is a key feature of OpenVPN, and that many people who want fine-grained control over every client may not want to use the new 2.0 features. I see the 2.0 multi-client server as being a way to handle large numbers of clients which are mostly treated the same with regards to routing and firewalling. Running hundreds of clients through a single tun/tap interface, you can firewall off the interface in a way that treats the entire client cloud as a group. And that's really the whole point of the 2.0 exercise -- to give admins the ability to handle a large number of road-warrior-type dynamic clients with a simple config file on both server and client. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |