openvpn-devel Mailing List for OpenVPN

Hi=A3=ACDenis Vlasenko >SL'ed protocols (i.e. tunneling streams over TCP) are fine. >Tunneling TCP packets over TCP is another matter, its a Bad= Thing. >AFAIK even openvpn manpages have URL of the relevant article. >I don't understand what you're asking, sorry. >Doesn't OpenVPN already does what you want? >-- >vda I am sorry I did not describe my thought clealy. Generally, I want to know the mechanism of OpenVPN (In the TCP= connection case). I am not sure that when OpenVPN use TCP connection, whether it is= based on SSL. When multi clients, OpenVPN works like a bridge, right? If OpenVPN is based SSL when it using TCP. What content is the= TCP payload? [ip(real ips)|tcp|SSL_encrypt(ip(tun ips)|.....)], right? Best Regards Ouyang Kai 

On Tuesday 08 June 2004 09:38, oyk wrote: > >not always. I am using udp, not tcp (tcp over tcp is prone > >to 'internal meltdown' if your network losing packets, > >and you _must_ design your network as if it does, even in reality it > >works perfectly). Also, ethheader exists only on tap devices, not tun. > >So, my picture is: > > > >[ip(real ips)|udp|ip(tun ips)|.....] > > Thank you very much. > There are many companies and organizations are developing VPN based SSL= , > such as stunnel. But many developments/solutions could solve TCP only. SSL'ed protocols (i.e. tunneling streams over TCP) are fine. Tunneling TCP packets over TCP is another matter, its a Bad Thing. AFAIK even openvpn manpages have URL of the relevant article. > I think whether it is possible to develop SSL VPN based virtual NIC, wh= ich > could solve the whole IP protocols (TCP/UDP, ARP etc). Simultaneity, we > could do the fine-granted access control in the application layer to > protect the internal resource. In my last experience, I developed TDI > driver-based SSL VPN solution (for widnows client). And the server just= do > like stunnel. I think it is hard to support UDP, ARP on this routine. S= o, I > want to do some work on the virtual NIC. > Could you give me some your advice? > Thanks a lot. I don't understand what you're asking, sorry. Doesn't OpenVPN already does what you want? --=20 vda 

On Monday 07 June 2004 18:54, James Yonan wrote: > > > PS: could I use windows version as OpenVPN Server? > > > > As a last resort only ;) > > Actually, the OpenVPN server will run fine on Windows, though it may be > slightly less efficient than Linux on equivalent hardware. Sorry, I didn't mean that it won't work. I meant "use Windows as a last resort, if you positively cannot install Linux on that box". --=20 vda 

Hi=A3=ACDenis Vlasenko >On Tuesday 08 June 2004 04:18, oyk wrote: >> >> I want to know how the openvpn control the multi-client= case in 2.0 >> >> version. for example: >> >> clientA---Internet---| |----Internal Server1 >> >> >> >> |----Server---|----Internal Server2 >> >> >> >> clientB---Internet---| |----Internal Server3 >> >> >> >> Based on my comprehension, clientA (10.1.0.2) and clientB= (10.1.0.3) can >> >> make a tunnel with Server (10.1.0.1) respectively using TCP= connection. >> >> clientA sockA----------Server SockA1 >> >> clientB sockB----------Server SockB1 >> >> When Server recieves the package from clientA or clientB,= it pushs the >> >> packages to the tun/tap device. And the Server box could= route the >> >> package to the internal server. And the internal server= response the >> >> package to Server. >> > >> >No. Internal server replies to client's IP address. >> >Whether it will be sent to client thru "Server" or not >> >depends on routing. Typically you will have symmetric >> >routing setup, and it will go thru "Server". >> >> I am not sure whether my comprehension is right. >> ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) >> Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet:= 10.1.1.0/24) >> when ClientA connects an internal ServerB (10.1.1.2) >> >> The package from ClientA should be: >> |IPheader(src:1.2.3.4, dst:|= 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.....|| >> = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~content right? > >not always. I am using udp, not tcp (tcp over tcp is prone >to 'internal meltdown' if your network losing packets, >and you _must_ design your network as if it does, even in= reality it >works perfectly). Also, ethheader exists only on tap devices,= not tun. >So, my picture is: > >[ip(real ips)|udp|ip(tun ips)|.....] Thank you very much. There are many companies and organizations are developing VPN= based SSL, such as stunnel. But many developments/solutions could solve TCP only. I think whether it is possible to develop SSL VPN based virtual= NIC, which could solve the whole IP protocols (TCP/UDP, ARP etc). Simultaneity, we= could do the fine-granted access control in the application layer to protect= the internal resource. In my last experience, I developed TDI driver-based SSL VPN= solution (for widnows client). And the server just do like stunnel. I think it is hard to= support UDP, ARP on this routine. So, I want to do some work on the virtual NIC. Could you give me some your advice? Thanks a lot. > >> Server recieved the package, push the content into the tap/tun= device. >> When the internal ServerB revieves the content, it response= another package >> to 10.1.0.2, right? >> >> When the Server recieved the response package, it encapsulate= the package into: >> |IPheader(src:5.6.7.8, dst:|= 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.....|| >> >> and send to ClientA, right? >> The OpenVPN Server differ clients' package based on the= response package's >> IPHeader, right? Could you tell me where I can find the= interrelated code? >> the OpenVPN source code is too much. > >kernel does it IMHO. openvpn only knows that kernel said:= "somebody wanted >to send this packet via tun/tap device you control, here's the= packet". >I.e. kernel already did make routing decision that this packes= goes to >this device. > >I suggest reading some TCP/IP book/online docs. People scale far= worse >than webpages 8) >-- Best Regards Ouyang Kai 

On Tuesday 08 June 2004 04:18, oyk wrote: > >> I want to know how the openvpn control the multi-client case in 2= =2E0 > >> version. for example: > >> clientA---Internet---| |----Internal Server1 > >> > >> |----Server---|----Internal Server2 > >> > >> clientB---Internet---| |----Internal Server3 > >> > >> Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3)= can > >> make a tunnel with Server (10.1.0.1) respectively using TCP connecti= on. > >> clientA sockA----------Server SockA1 > >> clientB sockB----------Server SockB1 > >> When Server recieves the package from clientA or clientB, it pushs t= he > >> packages to the tun/tap device. And the Server box could route the > >> package to the internal server. And the internal server response the > >> package to Server. > > > >No. Internal server replies to client's IP address. > >Whether it will be sent to client thru "Server" or not > >depends on routing. Typically you will have symmetric > >routing setup, and it will go thru "Server". > > I am not sure whether my comprehension is right. > ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) > Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet: 10.1.1.0/24= ) > when ClientA connects an internal ServerB (10.1.1.2) > > The package from ClientA should be: > |IPheader(src:1.2.3.4, dst:| 5.6.7.8)|TCPheader||etherheader|IPHeader10= =2E1.0.2|.....|| > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~content right? not always. I am using udp, not tcp (tcp over tcp is prone to 'internal meltdown' if your network losing packets, and you _must_ design your network as if it does, even in reality it works perfectly). Also, ethheader exists only on tap devices, not tun. So, my picture is: [ip(real ips)|udp|ip(tun ips)|.....] > Server recieved the package, push the content into the tap/tun device. > When the internal ServerB revieves the content, it response another pac= kage > to 10.1.0.2, right? > > When the Server recieved the response package, it encapsulate the packa= ge into: > |IPheader(src:5.6.7.8, dst:| 1.2.3.4)|TCPheader||etherheader|IPHeader10= =2E1.0.2|.....|| > > and send to ClientA, right? > The OpenVPN Server differ clients' package based on the response packag= e's > IPHeader, right? Could you tell me where I can find the interrelated co= de? > the OpenVPN source code is too much. kernel does it IMHO. openvpn only knows that kernel said: "somebody wante= d to send this packet via tun/tap device you control, here's the packet". I.e. kernel already did make routing decision that this packes goes to this device. I suggest reading some TCP/IP book/online docs. People scale far worse than webpages 8) --=20 vda 

Hi=A3=ACDenis Vlasenko Best Regards Ouyang Kai >On Monday 07 June 2004 15:45, oyk wrote: >> Hi=A3=ACguys >> I want to know how the openvpn control the multi-client= case in 2.0 >> version. for example: >> clientA---Internet---| |----Internal Server1 >> |----Server---|----Internal Server2 >> clientB---Internet---| |----Internal Server3 >> >> Based on my comprehension, clientA (10.1.0.2) and clientB= (10.1.0.3) can >> make a tunnel with Server (10.1.0.1) respectively using TCP= connection. >> clientA sockA----------Server SockA1 >> clientB sockB----------Server SockB1 >> When Server recieves the package from clientA or clientB, it= pushs the >> packages to the tun/tap device. And the Server box could route= the package >> to the internal server. And the internal server response the= package to >> Server. > >No. Internal server replies to client's IP address. >Whether it will be sent to client thru "Server" or not >depends on routing. Typically you will have symmetric >routing setup, and it will go thru "Server". I am not sure whether my comprehension is right. ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet:= 10.1.1.0/24) when ClientA connects an internal ServerB (10.1.1.2) The package from ClientA should be: |IPheader(src:1.2.3.4, dst:= 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.....|| = ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~content right? Server recieved the package, push the content into the tap/tun= device. When the internal ServerB revieves the content, it response= another package to 10.1.0.2, right? When the Server recieved the response package, it encapsulate the= package into: |IPheader(src:5.6.7.8, dst:= 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.....|| and send to ClientA, right? The OpenVPN Server differ clients' package based on the response= package's IPHeader, right? Could you tell me where I can find the interrelated code? the= OpenVPN source code is too much. > >> My question is: when OpenVPN Server recieves one package from= one internal >> server, how does it control the package and redirect to= whom(clientA or >> clientB)? > >By looking at destination IP. > >> Please help, thanks! >> >> PS: could I use windows version as OpenVPN Server? > >As a last resort only ;) >-- >vda > > >------------------------------------------------------- >This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the= one >installation-authoring solution that does it all. Learn more= and >evaluate today! http://www.installshield.com/Dev2Dev/0504 >_______________________________________________ >Openvpn-devel mailing list >Ope...@li... >https://lists.sourceforge.net/lists/listinfo/openvpn-devel > >.