Re: [Openvpn-devel] how to implement the multi client in openvpn?
Hi,Denis Vlasenko >SL'ed protocols (i.e. tunneling streams over TCP) are fine. >Tunneling TCP packets over TCP is another matter, its a Bad Thing. >AFAIK even openvpn manpages have URL of the relevant article. >I don't understand what you're asking, sorry. >Doesn't OpenVPN already does what you want? >-- >vda I am sorry I did not describe my thought clealy. Generally, I want to know the mechanism of OpenVPN (In the TCP connection case). I am not sure that when OpenVPN use TCP connection, whether it is based on SSL. When multi clients, OpenVPN works like a bridge, right? If OpenVPN is based SSL when it using TCP. What content is the TCP payload? [ip(real ips)|tcp|SSL_encrypt(ip(tun ips)|.)], right? Best Regards Ouyang Kai
Re: [Openvpn-devel] how to implement the multi client in openvpn?
On Tuesday 08 June 2004 09:38, oyk wrote: > >not always. I am using udp, not tcp (tcp over tcp is prone > >to 'internal meltdown' if your network losing packets, > >and you _must_ design your network as if it does, even in reality it > >works perfectly). Also, ethheader exists only on tap devices, not tun. > >So, my picture is: > > > >[ip(real ips)|udp|ip(tun ips)|.] > > Thank you very much. > There are many companies and organizations are developing VPN based SSL, > such as stunnel. But many developments/solutions could solve TCP only. SSL'ed protocols (i.e. tunneling streams over TCP) are fine. Tunneling TCP packets over TCP is another matter, its a Bad Thing. AFAIK even openvpn manpages have URL of the relevant article. > I think whether it is possible to develop SSL VPN based virtual NIC, which > could solve the whole IP protocols (TCP/UDP, ARP etc). Simultaneity, we > could do the fine-granted access control in the application layer to > protect the internal resource. In my last experience, I developed TDI > driver-based SSL VPN solution (for widnows client). And the server just do > like stunnel. I think it is hard to support UDP, ARP on this routine. So, I > want to do some work on the virtual NIC. > Could you give me some your advice? > Thanks a lot. I don't understand what you're asking, sorry. Doesn't OpenVPN already does what you want? -- vda
Re: [Openvpn-devel] how to implement the multi client in openvpn?
On Monday 07 June 2004 18:54, James Yonan wrote: > > > PS: could I use windows version as OpenVPN Server? > > > > As a last resort only ;) > > Actually, the OpenVPN server will run fine on Windows, though it may be > slightly less efficient than Linux on equivalent hardware. Sorry, I didn't mean that it won't work. I meant "use Windows as a last resort, if you positively cannot install Linux on that box". -- vda
Re: [Openvpn-devel] how to implement the multi client in openvpn?
Hi,Denis Vlasenko >On Tuesday 08 June 2004 04:18, oyk wrote: >> >>I want to know how the openvpn control the multi-client case in 2.0 >> >> version. for example: >> >> clientA---Internet---| |Internal Server1 >> >> >> >>|Server---|Internal Server2 >> >> >> >> clientB---Internet---| |Internal Server3 >> >> >> >> Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can >> >> make a tunnel with Server (10.1.0.1) respectively using TCP connection. >> >> clientA sockA--Server SockA1 >> >> clientB sockB--Server SockB1 >> >> When Server recieves the package from clientA or clientB, it pushs the >> >> packages to the tun/tap device. And the Server box could route the >> >> package to the internal server. And the internal server response the >> >> package to Server. >> > >> >No. Internal server replies to client's IP address. >> >Whether it will be sent to client thru "Server" or not >> >depends on routing. Typically you will have symmetric >> >routing setup, and it will go thru "Server". >> >> I am not sure whether my comprehension is right. >> ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) >> Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet: 10.1.1.0/24) >> when ClientA connects an internal ServerB (10.1.1.2) >> >> The package from ClientA should be: >> |IPheader(src:1.2.3.4, dst:| >> 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.|| >> >> content right? > >not always. I am using udp, not tcp (tcp over tcp is prone >to 'internal meltdown' if your network losing packets, >and you _must_ design your network as if it does, even in reality it >works perfectly). Also, ethheader exists only on tap devices, not tun. >So, my picture is: > >[ip(real ips)|udp|ip(tun ips)|.] Thank you very much. There are many companies and organizations are developing VPN based SSL, such as stunnel. But many developments/solutions could solve TCP only. I think whether it is possible to develop SSL VPN based virtual NIC, which could solve the whole IP protocols (TCP/UDP, ARP etc). Simultaneity, we could do the fine-granted access control in the application layer to protect the internal resource. In my last experience, I developed TDI driver-based SSL VPN solution (for widnows client). And the server just do like stunnel. I think it is hard to support UDP, ARP on this routine. So, I want to do some work on the virtual NIC. Could you give me some your advice? Thanks a lot. > >> Server recieved the package, push the content into the tap/tun device. >> When the internal ServerB revieves the content, it response another package >> to 10.1.0.2, right? >> >> When the Server recieved the response package, it encapsulate the package >> into: >> |IPheader(src:5.6.7.8, dst:| >> 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.|| >> >> and send to ClientA, right? >> The OpenVPN Server differ clients' package based on the response package's >> IPHeader, right? Could you tell me where I can find the interrelated code? >> the OpenVPN source code is too much. > >kernel does it IMHO. openvpn only knows that kernel said: "somebody wanted >to send this packet via tun/tap device you control, here's the packet". >I.e. kernel already did make routing decision that this packes goes to >this device. > >I suggest reading some TCP/IP book/online docs. People scale far worse >than webpages 8) >-- Best Regards Ouyang Kai
Re: [Openvpn-devel] how to implement the multi client in openvpn?
On Tuesday 08 June 2004 04:18, oyk wrote: > >>I want to know how the openvpn control the multi-client case in 2.0 > >> version. for example: > >> clientA---Internet---| |Internal Server1 > >> > >>|Server---|Internal Server2 > >> > >> clientB---Internet---| |Internal Server3 > >> > >> Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can > >> make a tunnel with Server (10.1.0.1) respectively using TCP connection. > >> clientA sockA--Server SockA1 > >> clientB sockB--Server SockB1 > >> When Server recieves the package from clientA or clientB, it pushs the > >> packages to the tun/tap device. And the Server box could route the > >> package to the internal server. And the internal server response the > >> package to Server. > > > >No. Internal server replies to client's IP address. > >Whether it will be sent to client thru "Server" or not > >depends on routing. Typically you will have symmetric > >routing setup, and it will go thru "Server". > > I am not sure whether my comprehension is right. > ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) > Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet: 10.1.1.0/24) > when ClientA connects an internal ServerB (10.1.1.2) > > The package from ClientA should be: > |IPheader(src:1.2.3.4, dst:| > 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.|| > > content right? not always. I am using udp, not tcp (tcp over tcp is prone to 'internal meltdown' if your network losing packets, and you _must_ design your network as if it does, even in reality it works perfectly). Also, ethheader exists only on tap devices, not tun. So, my picture is: [ip(real ips)|udp|ip(tun ips)|.] > Server recieved the package, push the content into the tap/tun device. > When the internal ServerB revieves the content, it response another package > to 10.1.0.2, right? > > When the Server recieved the response package, it encapsulate the package > into: > |IPheader(src:5.6.7.8, dst:| > 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.|| > > and send to ClientA, right? > The OpenVPN Server differ clients' package based on the response package's > IPHeader, right? Could you tell me where I can find the interrelated code? > the OpenVPN source code is too much. kernel does it IMHO. openvpn only knows that kernel said: "somebody wanted to send this packet via tun/tap device you control, here's the packet". I.e. kernel already did make routing decision that this packes goes to this device. I suggest reading some TCP/IP book/online docs. People scale far worse than webpages 8) -- vda
Re: [Openvpn-devel] how to implement the multi client in openvpn?
Hi,Denis Vlasenko Best Regards Ouyang Kai >On Monday 07 June 2004 15:45, oyk wrote: >> Hi,guys >>I want to know how the openvpn control the multi-client case in 2.0 >> version. for example: >> clientA---Internet---| |Internal Server1 >>|Server---|Internal Server2 >> clientB---Internet---| |Internal Server3 >> >> Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can >> make a tunnel with Server (10.1.0.1) respectively using TCP connection. >> clientA sockA--Server SockA1 >> clientB sockB--Server SockB1 >> When Server recieves the package from clientA or clientB, it pushs the >> packages to the tun/tap device. And the Server box could route the package >> to the internal server. And the internal server response the package to >> Server. > >No. Internal server replies to client's IP address. >Whether it will be sent to client thru "Server" or not >depends on routing. Typically you will have symmetric >routing setup, and it will go thru "Server". I am not sure whether my comprehension is right. ClientA(tap ip: 10.1.0.2, real ip: 1.2.3.4) Server(tap ip: 10.1.0.1, real ip: 5.6.7.8, internal subnet: 10.1.1.0/24) when ClientA connects an internal ServerB (10.1.1.2) The package from ClientA should be: |IPheader(src:1.2.3.4, dst: 5.6.7.8)|TCPheader||etherheader|IPHeader10.1.0.2|.|| content right? Server recieved the package, push the content into the tap/tun device. When the internal ServerB revieves the content, it response another package to 10.1.0.2, right? When the Server recieved the response package, it encapsulate the package into: |IPheader(src:5.6.7.8, dst: 1.2.3.4)|TCPheader||etherheader|IPHeader10.1.0.2|.|| and send to ClientA, right? The OpenVPN Server differ clients' package based on the response package's IPHeader, right? Could you tell me where I can find the interrelated code? the OpenVPN source code is too much. > >> My question is: when OpenVPN Server recieves one package from one internal >> server, how does it control the package and redirect to whom(clientA or >> clientB)? > >By looking at destination IP. > >>Please help, thanks! >> >> PS: could I use windows version as OpenVPN Server? > >As a last resort only ;) >-- >vda > > >--- >This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one >installation-authoring solution that does it all. Learn more and >evaluate today! http://www.installshield.com/Dev2Dev/0504 >___ >Openvpn-devel mailing list >Openvpn-devel@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/openvpn-devel > >.
Re: [Openvpn-devel] how to implement the multi client in openvpn?
> > PS: could I use windows version as OpenVPN Server? > > As a last resort only ;) Actually, the OpenVPN server will run fine on Windows, though it may be slightly less efficient than Linux on equivalent hardware. James
Re: [Openvpn-devel] how to implement the multi client in openvpn?
On Monday 07 June 2004 15:45, oyk wrote: > Hi,guys >I want to know how the openvpn control the multi-client case in 2.0 > version. for example: > clientA---Internet---| |Internal Server1 >|Server---|Internal Server2 > clientB---Internet---| |Internal Server3 > > Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can > make a tunnel with Server (10.1.0.1) respectively using TCP connection. > clientA sockA--Server SockA1 > clientB sockB--Server SockB1 > When Server recieves the package from clientA or clientB, it pushs the > packages to the tun/tap device. And the Server box could route the package > to the internal server. And the internal server response the package to > Server. No. Internal server replies to client's IP address. Whether it will be sent to client thru "Server" or not depends on routing. Typically you will have symmetric routing setup, and it will go thru "Server". > My question is: when OpenVPN Server recieves one package from one internal > server, how does it control the package and redirect to whom(clientA or > clientB)? By looking at destination IP. >Please help, thanks! > > PS: could I use windows version as OpenVPN Server? As a last resort only ;) -- vda
[Openvpn-devel] how to implement the multi client in openvpn?
Hi,guys I want to know how the openvpn control the multi-client case in 2.0 version. for example: clientA---Internet---| |Internal Server1 |Server---|Internal Server2 clientB---Internet---| |Internal Server3 Based on my comprehension, clientA (10.1.0.2) and clientB (10.1.0.3) can make a tunnel with Server (10.1.0.1) respectively using TCP connection. clientA sockA--Server SockA1 clientB sockB--Server SockB1 When Server recieves the package from clientA or clientB, it pushs the packages to the tun/tap device. And the Server box could route the package to the internal server. And the internal server response the package to Server. My question is: when OpenVPN Server recieves one package from one internal server, how does it control the package and redirect to whom(clientA or clientB)? Please help, thanks! PS: could I use windows version as OpenVPN Server? Best Regards Ouyang Kai
