Hi Gert, Gert Doering wrote: > Hi, > > On Wed, Nov 05, 2014 at 11:46:50PM +0100, Jan Just Keijser wrote: > >> If you are in a tun-based setup then you do not need the iroutes, >> strictly speaking: it can also be done using server side routing and >> firewalling, but this requires some iptables magic. >> > > Uh? "no"... > > "Please make the network 192.168.1.0/24 available behind 'client-gert'" > - how would you do that with iptables magic, if OpenVPN doesn't know > which client session to send the packets to? > > For *tap* it's easy (as it's just "route to the next-hop on the tap > interface transit net") but for tun, the server needs to know. > > Of course, you could do NAT on the client side to make "VPN access work > for an additional client network", but that won't work for (non-natted) > access *to* that network. >
I hate to admit it, but I'm afraid you're right ;) I was still trying to get a working example but I think I've got 'tun' and 'tap' mixed up.... Now that I think about it, it will indeed not work in 'tun' mode. I was confusing this with 'client-to-client': it's possible to provide client-to-client functionality without 'client-to-client' using some iptables magic. This is not possible in 'tap' mode. In 'tap' mode you can avoid 'iroutes' . JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
