|
|
On Thu, 8 Sep 2005, Mathias Sundman wrote: > On Thu, 8 Sep 2005, James Yonan wrote: > > > But the discussion continued, and more recently we hit upon the idea to > > use a proxy-ARP mechanism to allow the TAP-Win32 driver to support > > tun-mode subnets: > > > > http://openvpn.net/archive/openvpn-devel/2005-06/msg00017.html > > > > The result, which I've just completed, is a patch to 2.0 which > > supports a new "topology" directive in "dev tun" mode. > > Cool! I was just thinking about this feature a day ago because I had a > customer ask me about how to use OpenVPN to tunnel a public IP address > over a network using private IP addresses. This feature fits this need > perfectly as using /30 subnets waists public IP addresses and --dev tap > waists bandwidth with broadcasts and packet overhead. > > A couple of questions: > > What happends with IP broadcasts with this topology? Are they dropped or > forwarded to all clients? This is a still a dev tun, routing-based topology, so it works just as it does now -- broadcasts would be dropped. > Does this solve the "security issue" with --dev tap that the IP address > wasn't checked if it really belonged to the correct client or not (without > using iptables or such todo this check outside of OpenVPN)? I mean does > this new topology pass the same checks as normal --dev tun mode? Yes, it does -- or rather I might say that the issue never existed in dev tun mode anyway, and the subnet topology doesn't change this. > I assume the normal ways of assigning static IP addresses can still be > used; ccd files, client-connect scripts and ipp files, right? Yes, exactly. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |