This is something I've been meaning to address for quite some time, since the documentation is very, very wrong. I'm not very good at reading the code (yet), so please correct me if I'm wrong. This update is based on behavior I've seen and not as much on my ability to read our source.
The human-readable difference: === OLD === Because the OpenVPN server mode handles mutliple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface. When this options is used, each client with "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. === NEW === Because the OpenVPN server mode handles mutliple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to allow traffic between clients connected to the VPN. This also exposes the traffic between client to the TUN/TAP interface, allow for firewalling on a per-client basis. When this options is used, each client with "see" the other clients which are currently connected. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2ed5201..009aeda 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2987,15 +2987,13 @@ Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The .B \-\-client-to-client -flag tells OpenVPN to internally route client-to-client -traffic rather than pushing all client-originating traffic -to the TUN/TAP interface. +flag tells OpenVPN to allow traffic between clients +connected to the VPN. This also exposes the traffic between +clients to the TUN/TAP inteface, allowing for firewalling +on a per-client basis. When this option is used, each client will "see" the other -clients which are currently connected. Otherwise, each -client will only see the server. Don't use this option -if you want to firewall tunnel traffic using -custom, per-client rules. +clients which are currently connected. .\"********************************************************* .TP .B \-\-duplicate-cn ----- Eric F Crist
