Hello,
Thanks to all for taking the time to educate.
> At least the order of encryption/decryption and
> compression/decompression makes no sense.
> Compression should be always done before encryption!
>> it"s actually even weirder when you read the sources:
>> 1) compress
>> 2) fragment
>> 3) encrypt
>> and then in reverse on the receiving end, of course.
Thanks, i`ve updated the diagram.
> Regarding ICMP: Yes, PMTUD relies on ICMP, thus blocking ICMP is
> generally a bad idea - why do you have this in place?
>> uhm, as Pippin stated, his firewall/router does this for him,
>> whether he likes it or not;
Exactly, though i do not DROP ICMP myself, i know it`s a bad
idea, it depends on type...etc.
I asked this question because i`m trying to help a fellow Synology NAS owner.
>> however, OpenVPN itself does not need PMTUD
That`s what i was looking for.
>> One thing I would like to highlight is that it seems that packets going
>> from the App to tun0 are then re-entering routing/iptables before reaching
>> OpenVPN.
>> This should not happen because packets entering tun0 are then directly
>> delivered to OpenVPN.
>> (not sure how this could be fixed in the diagram)
>> Antonio Quartulli
>>> I believe the diagram is correct - packets sent by an application to
>>> tun0 *ARE* processed using iptables before reaching OpenVPN - if you set
>>> a rule
>>> iptables -I INPUT -i tun+ -j DROP
>>> then no packets would enter the tunnel....
Hmm, i think so too because putting rules in the forward chain
one can control inter-client traffic...
When pinging from client to client running tcpdump, one can see packets
come into tun and back to OpenVPN according to:
http://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/
Also, using the iptables owner module one can make an very effective
"kill switch" for traffic trying to get out where it should not.
I will wait to update the diagram untill it`s clear how packets flow.
I depend on the knowledgeable :)
Thanks a lot,
Pippin
Sent with [ProtonMail](https://protonmail.com) Secure Email.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
