Hi, On Thu, Nov 06, 2014 at 12:18:37AM +0100, Jan Just Keijser wrote: > I will look into providing a more elaborate example tomorrow, but in > short this is what I'd do: > > - use 'topology subnet' so that each client is assigned a single address > instead of the /30 subnets > - add server side routes directly to the IP address of the client (so if > clientA is assigned IP 192.168.0.2 then the GW for the server side route > is 192.168.0.2); you might be able to get away with your current /30 > topology and then specify the IP address of the client (192.16.8.0.5) > but I am not sure > - make sure ip forwarding is enabled on the server > - use tcpdump to see what traffic is coming in on tun0
Won't work. The server side routing will stuff the packets into the
server tun, but there is no next-hop information in the packets - so
the OpenVPN server process MUST know which client this is to be sent to.
Classic layer3 routing - every hop on the way needs to know the forwarding
information, and on the server side, you have two forwarding tables -
"server to tun" and "openvpn server process to client connections" - both
must have the info.
> PS for those who are wondering: this will NOT work in tap mode
To the contrary. For TAP it will work just fine, as TAP packets *do*
carry next-hop information (aka "ethernet destination addresses").
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpDKPTzGh5Qa.pgp
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
