История изменений
Исправление
sanyock,
(текущая версия)
:
судя по:
http://backreference.org/2010/05/02/controlling-client-to-client-connections-...
OpenVPN has a feature called client-to-client to be used on the server, that permits, as the name says, client-to-client connections. This allows connectivity between any pair of clients, but it is implemented internally to the OpenVPN server, and packets are not exposed to the operating system.
In some instances you might want to have a better control over which clients can talk to which clients, and using client-to-client does not allow for that (at least currently).
How to solve the problem? The answer is: do NOT use client-to-client in the server's configuration file! That may sound strange at first, but it does in fact make sense, at least in routed mode. If client-to-client is not enabled, the server becomes a sort of «router on a stick» (even if the clients are on the same subnet!), meaning that packets are decapsulated, come «out» of the server's tun interface and are then (if needed) routed back into the same tun interface (but encapsulated to be sent to the right destination).
client-to-client вовсе не обязятелен для маршрутизации между клиентами, влияет только на то, кто будет маршрутизировать OpenVPN или ось
Исходная версия
sanyock,
:
судя по:
http://backreference.org/2010/05/02/controlling-client-to-client-connections-...
OpenVPN has a feature called client-to-client to be used on the server, that permits, as the name says, client-to-client connections. This allows connectivity between any pair of clients, but it is implemented internally to the OpenVPN server, and packets are not exposed to the operating system.
In some instances you might want to have a better control over which clients can talk to which clients, and using client-to-client does not allow for that (at least currently).
How to solve the problem? The answer is: do NOT use client-to-client in the server's configuration file! That may sound strange at first, but it does in fact make sense, at least in routed mode. If client-to-client is not enabled, the server becomes a sort of «router on a stick» (even if the clients are on the same subnet!), meaning that packets are decapsulated, come «out» of the server's tun interface and are then (if needed) routed back into the same tun interface (but encapsulated to be sent to the right destination).