On Mon, 7 Jan 2013 14:30:01 -0600, Eric Crist <ecr...@secure-computing.net> wrote:
> This is something I've been meaning to address for quite some time, since > the documentation is very, very wrong. I'm not very good at reading the > code (yet), so please correct me if I'm wrong. This update is based on > behavior I've seen and not as much on my ability to read our source. > > The human-readable difference: > > === OLD === > Because the OpenVPN server mode handles mutliple clients > through a single tun or tap interface, it is effectively > a router. The --client-to-client flag tells OpenVPN > to internally route client-to-client traffic rather than > pushing all client-originating traffic to the TUN/TAP interface. > > When this options is used, each client with "see" the other > clients which are currently connected. Otherwise, each client > will only see the server. Don't use this option if you want > to firewall tunnel traffic using custom, per-client rules. > > === NEW === > Because the OpenVPN server mode handles mutliple clients > through a single tun or tap interface, it is effectively > a router. The --client-to-client flag tells OpenVPN > to allow traffic between clients connected to the VPN. This > also exposes the traffic between client to the TUN/TAP > interface, allow for firewalling on a per-client basis. > > When this options is used, each client with "see" the other > clients which are currently connected. The current documentation looks correct to me. When using client-to-client, traffic is not exposed on the tun interface; when not using client-to-client, traffic shows up on the tun interface and can be firewalled (eg with iptales). -- D.
