Hi All, We have just finished implementing OpenVPN 2.0 into our RTUs. We advertize OpenVPN Server to our customers to connect their RTUs.
We've come to realize that small customers will probably not want to setup an OpenVPN server themselves (they are no IT specialists). That's why we'd want to provide server hosting to them. Since we can't afford running an OpenVPN server instance for each customer, we need some kind of restricted client-to-client mode that would allow a customer's RTU to see _only_ the other RTUs of this customer. The purpose is of course to provide privacy and prevent a customer to access the RTUs of other customers. The OpenVPN HOW-TO suggests a method using a firewall to restrict clients access to parts of the network. I wonder if it will work in this case: Will the firewall be triggered for packets transmission over the local (VPN) subnet ? I don't think so. I've looked into the source code and it looks fairly straightforward to implement such a filter: - Each client connection would receive an extra param (stored in its multi_instance) : groupid. This groupid would be set e.g. by the ccd file or connect script through a new dedicated option. - In multi_process_incoming_link(), in addition to testing enable_c2c, groupid's of src and dest would be tested as well (match required) in order to allow packet forwarding. Which leads me to these questions: - Has this been discussed before ? What was the outcome ? If yes, pointers would be highly appreciated. - Do you think this is something that would be worth implementing in the product ? - Do you see any flaw in my reasoning ? TIA, Serge http://www.apptranslator.com
