Re: [Openvpn-devel] how to implement the multi client in openvpn?
Hi,Denis Vlasenko >On Tuesday 08 June 2004 04:18, oyk wrote: >> >>I want to know how the openvpn control the multi-client case in 2.0 >> >> version. for example: >> >> clientA---Internet---| |Internal Server1 >> >> >> >>|Server---|Internal Server2 >> >> >> >> clientB---Internet---| |Internal Server3 >> >> >> >> Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can >> >> make a tunnel with Server (10.1.0.1) respectively using TCP connection. >> >> clientA sockA--Server SockA1 >> >> clientB sockB--Server SockB1 >> >> When Server recieves the package from clientA or clientB, it pushs the >> >> packages to the tun/tap device. And the Server box could route the >> >> package to the internal server. And the internal server response the >> >> package to Server. >> > >> >No. Internal server replies to client's IP address. >> >Whether it will be sent to client thru "Server" or not >> >depends on routing. Typically you will have symmetric >> >routing setup, and it will go thru "Server". >> >> I am not sure whether my comprehension is right. >> ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) >> Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet: 10.1.1.0/24) >> when ClientA connects an internal ServerB (10.1.1.2) >> >> The package from ClientA should be: >> |IPheader(src:1.2.3.4, dst:| >> 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.|| >> >> content right? > >not always. I am using udp, not tcp (tcp over tcp is prone >to 'internal meltdown' if your network losing packets, >and you _must_ design your network as if it does, even in reality it >works perfectly). Also, ethheader exists only on tap devices, not tun. >So, my picture is: > >[ip(real ips)|udp|ip(tun ips)|.] Thank you very much. There are many companies and organizations are developing VPN based SSL, such as stunnel. But many developments/solutions could solve TCP only. I think whether it is possible to develop SSL VPN based virtual NIC, which could solve the whole IP protocols (TCP/UDP, ARP etc). Simultaneity, we could do the fine-granted access control in the application layer to protect the internal resource. In my last experience, I developed TDI driver-based SSL VPN solution (for widnows client). And the server just do like stunnel. I think it is hard to support UDP, ARP on this routine. So, I want to do some work on the virtual NIC. Could you give me some your advice? Thanks a lot. > >> Server recieved the package, push the content into the tap/tun device. >> When the internal ServerB revieves the content, it response another package >> to 10.1.0.2, right? >> >> When the Server recieved the response package, it encapsulate the package >> into: >> |IPheader(src:5.6.7.8, dst:| >> 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.|| >> >> and send to ClientA, right? >> The OpenVPN Server differ clients' package based on the response package's >> IPHeader, right? Could you tell me where I can find the interrelated code? >> the OpenVPN source code is too much. > >kernel does it IMHO. openvpn only knows that kernel said: "somebody wanted >to send this packet via tun/tap device you control, here's the packet". >I.e. kernel already did make routing decision that this packes goes to >this device. > >I suggest reading some TCP/IP book/online docs. People scale far worse >than webpages 8) >-- Best Regards Ouyang Kai
Re: [Openvpn-devel] how to implement the multi client in openvpn?
On Tuesday 08 June 2004 04:18, oyk wrote: > >>I want to know how the openvpn control the multi-client case in 2.0 > >> version. for example: > >> clientA---Internet---| |Internal Server1 > >> > >>|Server---|Internal Server2 > >> > >> clientB---Internet---| |Internal Server3 > >> > >> Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can > >> make a tunnel with Server (10.1.0.1) respectively using TCP connection. > >> clientA sockA--Server SockA1 > >> clientB sockB--Server SockB1 > >> When Server recieves the package from clientA or clientB, it pushs the > >> packages to the tun/tap device. And the Server box could route the > >> package to the internal server. And the internal server response the > >> package to Server. > > > >No. Internal server replies to client's IP address. > >Whether it will be sent to client thru "Server" or not > >depends on routing. Typically you will have symmetric > >routing setup, and it will go thru "Server". > > I am not sure whether my comprehension is right. > ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) > Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet: 10.1.1.0/24) > when ClientA connects an internal ServerB (10.1.1.2) > > The package from ClientA should be: > |IPheader(src:1.2.3.4, dst:| > 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.|| > > content right? not always. I am using udp, not tcp (tcp over tcp is prone to 'internal meltdown' if your network losing packets, and you _must_ design your network as if it does, even in reality it works perfectly). Also, ethheader exists only on tap devices, not tun. So, my picture is: [ip(real ips)|udp|ip(tun ips)|.] > Server recieved the package, push the content into the tap/tun device. > When the internal ServerB revieves the content, it response another package > to 10.1.0.2, right? > > When the Server recieved the response package, it encapsulate the package > into: > |IPheader(src:5.6.7.8, dst:| > 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.|| > > and send to ClientA, right? > The OpenVPN Server differ clients' package based on the response package's > IPHeader, right? Could you tell me where I can find the interrelated code? > the OpenVPN source code is too much. kernel does it IMHO. openvpn only knows that kernel said: "somebody wanted to send this packet via tun/tap device you control, here's the packet". I.e. kernel already did make routing decision that this packes goes to this device. I suggest reading some TCP/IP book/online docs. People scale far worse than webpages 8) -- vda
Re: [Openvpn-devel] how to implement the multi client in openvpn?
Hi,Denis Vlasenko Best Regards Ouyang Kai >On Monday 07 June 2004 15:45, oyk wrote: >> Hi,guys >>I want to know how the openvpn control the multi-client case in 2.0 >> version. for example: >> clientA---Internet---| |Internal Server1 >>|Server---|Internal Server2 >> clientB---Internet---| |Internal Server3 >> >> Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can >> make a tunnel with Server (10.1.0.1) respectively using TCP connection. >> clientA sockA--Server SockA1 >> clientB sockB--Server SockB1 >> When Server recieves the package from clientA or clientB, it pushs the >> packages to the tun/tap device. And the Server box could route the package >> to the internal server. And the internal server response the package to >> Server. > >No. Internal server replies to client's IP address. >Whether it will be sent to client thru "Server" or not >depends on routing. Typically you will have symmetric >routing setup, and it will go thru "Server". I am not sure whether my comprehension is right. ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet: 10.1.1.0/24) when ClientA connects an internal ServerB (10.1.1.2) The package from ClientA should be: |IPheader(src:1.2.3.4, dst: 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.|| content right? Server recieved the package, push the content into the tap/tun device. When the internal ServerB revieves the content, it response another package to 10.1.0.2, right? When the Server recieved the response package, it encapsulate the package into: |IPheader(src:5.6.7.8, dst: 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.|| and send to ClientA, right? The OpenVPN Server differ clients' package based on the response package's IPHeader, right? Could you tell me where I can find the interrelated code? the OpenVPN source code is too much. > >> My question is: when OpenVPN Server recieves one package from one internal >> server, how does it control the package and redirect to whom(clientA or >> clientB)? > >By looking at destination IP. > >>Please help, thanks! >> >> PS: could I use windows version as OpenVPN Server? > >As a last resort only ;) >-- >vda > > >--- >This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one >installation-authoring solution that does it all. Learn more and >evaluate today! http://www.installshield.com/Dev2Dev/0504 >___ >Openvpn-devel mailing list >Openvpn-devel@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/openvpn-devel > >.
Re: [Openvpn-devel] how to implement the multi client in openvpn?
> > PS: could I use windows version as OpenVPN Server? > > As a last resort only ;) Actually, the OpenVPN server will run fine on Windows, though it may be slightly less efficient than Linux on equivalent hardware. James
[Openvpn-devel] Re: [Openvpn-users] OpenVPN 2.0-beta3 released
Rainer Sokoll said: > On Sun, Jun 06, 2004 at 01:35:27AM -, James Yonan wrote: > > > * New feature: --status. Outputs a SIGUSR2-like > > status summary to a given file, updated once > > per n seconds. The status file is comma delimited > > for easy machine parsing. > > With me, the file has setuid, setgid and sticky bits set. Is that > intended? No, that looks like a bug -- I will fix in beta4. James
[Openvpn-devel] Re: Still Assertion failed at event.c:399 (was Re: [Openvpn-users] OpenVPN 2.0-beta3 released
Jon, Have you considered the possibility that there might be breakage in your compilation environment, such as a mismatch between header files and shared libraries? I am saying this because I haven't seen any other reports of similar assertion failures. If you are the only one seeing the problem, there must be something that is unique about your particular configuration. Do you get assertion failures from pre-built executables, such as from the Windows install? James Jon Bendtsen said: > I still have my assertion error with openvpn beta3, just much sooner, > and it is a different place. > The server is still linux, and the client is still macosx. I will go > and test windows in a few seconds. > > > [Jon-Bendtsens-computer:~/openvpn-2.0_beta3] jonbendt% ./openvpn > --config ../etc/openvpn/client.conf > ... > Mon Jun 7 11:21:31 2004 OpenVPN 2.0_beta3 powerpc-apple-darwin7.4.0 > [SSL] [LZO] built on Jun 7 2004 > Mon Jun 7 11:21:31 2004 WARNING: file 'sample-keys/client.key' is > group or others accessible > Mon Jun 7 11:21:31 2004 Control Channel MTU parms [ L:1541 D:138 EF:38 > EB:0 ET:0 EL:0 ] > Mon Jun 7 11:21:31 2004 Data Channel MTU parms [ L:1541 D:1450 EF:41 > EB:0 ET:0 EL:0 ] > Mon Jun 7 11:21:31 2004 Local Options String: 'V3,dev-type > tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth > SHA1,keysize 128,key-method 2,tls-client' > Mon Jun 7 11:21:31 2004 Expected Remote Options String: 'V3,dev-type > tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth > SHA1,keysize 128,key-method 2,tls-server' > Mon Jun 7 11:21:31 2004 Local Options hash (VER=V3): 'a0f1c7ed' > Mon Jun 7 11:21:31 2004 Expected Remote Options hash (VER=V3): > 'b319fa3e' > Mon Jun 7 11:21:31 2004 Socket Buffers: R=[42080->65536] > S=[9216->65536] > Mon Jun 7 11:21:31 2004 UDPv4 link local (bound): [undef]:5000 > Mon Jun 7 11:21:31 2004 UDPv4 link remote: 192.168.119.135:5000 > Mon Jun 7 11:21:31 2004 TLS: Initial packet from 192.168.119.135:5000, > sid=1ce6aa53 b7120113 > Mon Jun 7 11:21:31 2004 Assertion failed at event.c:399 > Mon Jun 7 11:21:31 2004 Exiting > > It makes no difference if i specify the local address, the client.conf > file looks like this: > > > [Jon-Bendtsens-computer:~/openvpn-2.0_beta3] jonbendt% less > ../etc/openvpn/client.conf > # > # Sample client-side OpenVPN config file > # for connecting to multi-client server. > # > # The server can be pinged at 10.8.0.1. > # > # This configuration can be used by multiple > # clients, however each client should have > # its own cert and key files. > # > # tun-style tunnel > > port 5000 > dev tun0 > remote aragorn > > # TLS parms > > tls-client > ca sample-keys/tmp-ca.crt > cert sample-keys/client.crt > key sample-keys/client.key > > # This parm is required for connecting > # to a multi-client server. It tells > # the client to accept options which > # the server pushes to us. > pull > > verb 4 > > > and the server: > > # Sample OpenVPN config file for > # multi-client udp server > # > # tun-style tunnel > > port 5000 > dev tun > > # TLS parms > > tls-server > ca sample-keys/tmp-ca.crt > cert sample-keys/server.crt > key sample-keys/server.key > dh sample-keys/dh1024.pem > > # Tell OpenVPN to be a multi-client udp server > mode server > > # openvpn data are not swapped to disk > #mlock > # allow clients to connect to each other faster > #client-to-client > > # The server's virtual endpoints > ifconfig 10.8.0.1 10.8.0.2 > > # Pool of /30 subnets to be allocated to clients. > # When a client connects, an --ifconfig command > # will be automatically generated and pushed back to > # the client. > ifconfig-pool 10.8.0.4 10.8.0.255 > > # Push route to client to bind it to our local > # virtual endpoint. > push "route 10.8.0.1 255.255.255.255" > > # Delete client instances after some period > # of inactivity. > inactive 600 > # ping once every minute when there is no trafic > ping 60 > > # Route the --ifconfig pool range into the > # OpenVPN server. > route 10.8.0.0 255.255.255.0 > > # The server doesn't need privileges > user nobody > group nogroup > > > > JonB > --
Re: [Openvpn-devel] how to implement the multi client in openvpn?
On Monday 07 June 2004 15:45, oyk wrote: > Hi,guys >I want to know how the openvpn control the multi-client case in 2.0 > version. for example: > clientA---Internet---| |Internal Server1 >|Server---|Internal Server2 > clientB---Internet---| |Internal Server3 > > Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can > make a tunnel with Server (10.1.0.1) respectively using TCP connection. > clientA sockA--Server SockA1 > clientB sockB--Server SockB1 > When Server recieves the package from clientA or clientB, it pushs the > packages to the tun/tap device. And the Server box could route the package > to the internal server. And the internal server response the package to > Server. No. Internal server replies to client's IP address. Whether it will be sent to client thru "Server" or not depends on routing. Typically you will have symmetric routing setup, and it will go thru "Server". > My question is: when OpenVPN Server recieves one package from one internal > server, how does it control the package and redirect to whom(clientA or > clientB)? By looking at destination IP. >Please help, thanks! > > PS: could I use windows version as OpenVPN Server? As a last resort only ;) -- vda
[Openvpn-devel] how to implement the multi client in openvpn?
Hi,guys I want to know how the openvpn control the multi-client case in 2.0 version. for example: clientA---Internet---| |Internal Server1 |Server---|Internal Server2 clientB---Internet---| |Internal Server3 Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can make a tunnel with Server (10.1.0.1) respectively using TCP connection. clientA sockA--Server SockA1 clientB sockB--Server SockB1 When Server recieves the package from clientA or clientB, it pushs the packages to the tun/tap device. And the Server box could route the package to the internal server. And the internal server response the package to Server. My question is: when OpenVPN Server recieves one package from one internal server, how does it control the package and redirect to whom(clientA or clientB)? Please help, thanks! PS: could I use windows version as OpenVPN Server? Best Regards Ouyang Kai
[Openvpn-devel] Re: [Openvpn-users] OpenVPN 2.0-beta3 released
On Sun, Jun 06, 2004 at 01:35:27AM -, James Yonan wrote: > * New feature: --status. Outputs a SIGUSR2-like > status summary to a given file, updated once > per n seconds. The status file is comma delimited > for easy machine parsing. With me, the file has setuid, setgid and sticky bits set. Is that intended? Rainer -- To me, women are like elephants: I like to look at them, but I wouldn't want to own one. (W.C. Fields)
[Openvpn-devel] Re: Still Assertion failed at event.c:399 (was Re: [Openvpn-users] OpenVPN 2.0-beta3 released
Den 7. jun 2004, kl. 11:33, skrev Jon Bendtsen: I still have my assertion error with openvpn beta3, just much sooner, and it is a different place. The server is still linux, and the client is still macosx. I will go and test windows in a few seconds. The windows works just like it should. I dont get any assertion errors. JonB
[Openvpn-devel] Still Assertion failed at event.c:399 (was Re: [Openvpn-users] OpenVPN 2.0-beta3 released
I still have my assertion error with openvpn beta3, just much sooner, and it is a different place. The server is still linux, and the client is still macosx. I will go and test windows in a few seconds. [Jon-Bendtsens-computer:~/openvpn-2.0_beta3] jonbendt% ./openvpn --config ../etc/openvpn/client.conf ... Mon Jun 7 11:21:31 2004 OpenVPN 2.0_beta3 powerpc-apple-darwin7.4.0 [SSL] [LZO] built on Jun 7 2004 Mon Jun 7 11:21:31 2004 WARNING: file 'sample-keys/client.key' is group or others accessible Mon Jun 7 11:21:31 2004 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jun 7 11:21:31 2004 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:0 ET:0 EL:0 ] Mon Jun 7 11:21:31 2004 Local Options String: 'V3,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Mon Jun 7 11:21:31 2004 Expected Remote Options String: 'V3,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Mon Jun 7 11:21:31 2004 Local Options hash (VER=V3): 'a0f1c7ed' Mon Jun 7 11:21:31 2004 Expected Remote Options hash (VER=V3): 'b319fa3e' Mon Jun 7 11:21:31 2004 Socket Buffers: R=[42080->65536] S=[9216->65536] Mon Jun 7 11:21:31 2004 UDPv4 link local (bound): [undef]:5000 Mon Jun 7 11:21:31 2004 UDPv4 link remote: 192.168.119.135:5000 Mon Jun 7 11:21:31 2004 TLS: Initial packet from 192.168.119.135:5000, sid=1ce6aa53 b7120113 Mon Jun 7 11:21:31 2004 Assertion failed at event.c:399 Mon Jun 7 11:21:31 2004 Exiting It makes no difference if i specify the local address, the client.conf file looks like this: [Jon-Bendtsens-computer:~/openvpn-2.0_beta3] jonbendt% less ../etc/openvpn/client.conf # # Sample client-side OpenVPN config file # for connecting to multi-client server. # # The server can be pinged at 10.8.0.1. # # This configuration can be used by multiple # clients, however each client should have # its own cert and key files. # # tun-style tunnel port 5000 dev tun0 remote aragorn # TLS parms tls-client ca sample-keys/tmp-ca.crt cert sample-keys/client.crt key sample-keys/client.key # This parm is required for connecting # to a multi-client server. It tells # the client to accept options which # the server pushes to us. pull verb 4 and the server: # Sample OpenVPN config file for # multi-client udp server # # tun-style tunnel port 5000 dev tun # TLS parms tls-server ca sample-keys/tmp-ca.crt cert sample-keys/server.crt key sample-keys/server.key dh sample-keys/dh1024.pem # Tell OpenVPN to be a multi-client udp server mode server # openvpn data are not swapped to disk #mlock # allow clients to connect to each other faster #client-to-client # The server's virtual endpoints ifconfig 10.8.0.1 10.8.0.2 # Pool of /30 subnets to be allocated to clients. # When a client connects, an --ifconfig command # will be automatically generated and pushed back to # the client. ifconfig-pool 10.8.0.4 10.8.0.255 # Push route to client to bind it to our local # virtual endpoint. push "route 10.8.0.1 255.255.255.255" # Delete client instances after some period # of inactivity. inactive 600 # ping once every minute when there is no trafic ping 60 # Route the --ifconfig pool range into the # OpenVPN server. route 10.8.0.0 255.255.255.0 # The server doesn't need privileges user nobody group nogroup JonB
[Openvpn-devel] Re: [Openvpn-users] OpenVPN 2.0-beta3 released
--Am Sonntag, 6. Juni 2004 01:35 + James Yonan schrieb: 2004.06.05 -- Version 2.0-beta3 * New feature: --status. Outputs a SIGUSR2-like status summary to a given file, updated once per n seconds. The status file is comma delimited for easy machine parsing. Is there any change to get this option in 1.6x? Maybe you accept a backport diff to add this feature to 1.61? -- Claas Hilbrecht http://www.jucs-kramkiste.de