Page 1 of 1

bridging and client-to-client

Posted: Sat May 20, 2017 1:09 am
by gonzobrandon
Hello,

I understand the sensitivity of posting routing questions in the OpenVPN forum. I can handle making iptables work when I get to that point...

Goal: I have server-bridge mode on. I would like to prevent client-to-client communications...EXCEPT a few administrative IPs.

There are plenty of examples in the Wiki and FAQ about how to get that set up with routing mode, but I cant seem to get it working in bridge mode.

client-to-client on the server.conf is commented out (off) and that works. I see the arp requests coming through (via tcpdump onbr0 interface) when a client tries to ping another client...but I cant simply apply a FORWARD iptables rule to allow a specific client (admin) getting through to another client.

Am I thinking about this wrong? Is this possible in bridging mode? I can provide the standard route/server.conf file..but they arent far from the defaults packaged with OpenSSL.

Thanks for your help

Re: bridging and client-to-client

Posted: Sat May 20, 2017 2:04 am
by TinCanTech
Do you understand the difference between modes:
  • OSI Layer 2 (what you know as bridge mode)
  • OSI Layer 3 (what you know as routing mode)
:?:

These are not modes imposed by OpenVPN .. they are networking principles.

Re: bridging and client-to-client

Posted: Sat May 20, 2017 2:19 am
by gonzobrandon
I clearly don't. I'm thinking I need to route/firewall on the Ethernet frames.

Re: bridging and client-to-client

Posted: Sat May 20, 2017 11:34 am
by TinCanTech
Unless you know why you need to use Layer 2, it is almost certain that you don't.

Re: bridging and client-to-client

Posted: Sat May 20, 2017 11:46 am
by gonzobrandon
Our clients on vpn use on-ip traffic. We have to use bridge mode. Would ebtables be appropriate?