Hi, On Tue, Jun 13, 2017 at 06:26:45PM -0400, Pippin1st via Openvpn-users wrote: > > in your diagram, on the sending side, packets cross the > > routing/iptables block twice before getting to OpenVPN: > > 1) once while going from the app to the tun0 interface > > 2) once while going from tun0 to OpenVPN > > > What you are saying above is correct and it is about point 1). > > My argument was about point 2): once packets have entered tun0, > > they directly go to the OpenVPN process (which is attached to tun0), > > without being processed by routing/iptables again. > > Aah ok, so rules are applied from OpenVPN > to > tun.
When thinking about firewalls (and routing, for that matter), imagine
OpenVPN as a black box sitting on a "second network card" connected
to the linux machine.
So there's iptables on the tun interface connecting "linux networking"
and "openvpn black box" - packets towards openvpn (and the other side
of the VPN) are processed "out on tunX", while packets coming from
the VPN are processed "in on tunX".
*Inside* OpenVPN, there's potentially a second set of firewall rules,
but those are "OpenVPN pf rules", not related (and not visible to)
host side iptables.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
