Client-to-client without kernel routing?

[koala]

Hi everyone, I'm new to the forum and looking for an answer to my question. I already posted my question here on serverfault.com:
https://serverfault.com/questions/11177 ... 58#1117758
but I'm not sure if I'll find anything there. I'll try here. I have established a TUN, client-to-client connection, and am trying to ping the LAN IP address behind the OpenVPN server from the client. And it works! But why?? I have set iptables FORWARD as DROP and disabled ip.v4.forwarding.
Just like in the answer to my question on serverfault.com, and also on other websites, it is of course in the client-to-client setting itself that the packets are not exposed for the kernell so the above rules do not have any effext. But that doesn't apply if I want to connect another physical interface on the server, or does it? How is the OpenVPN process supposed to connect an interface without doing it through the kernel???

[ordex]

client-to-client only affects traffic going from a VPN client to another VPN client (so when both source and destination client are behind the tun0 interface).
Any traffic that has to be routed to another interface (i.e. the LAN interface) is not affected by client-to-client.

It seems that the accepted answer on stackoverflow gave you already all details, no?

[Pippin]

Hi,

This diagram might help:
https://community.openvpn.net/openvpn/w ... acketsFlow
.