From: "Peter Allgeyer" <allgeyer at web dot de>
To: "Kris Maglione" <bsdaemon at comcast dot net>
CC: m0n0wall at lists dot m0n0 dot ch
Date: Sun, 18 Sep 2005 11:26:47 +0200
Subject: Re: [m0n0wall] OpenVPN, switching to m0n0
BTW: Is an "Ethernet tunnel" a useful scenario on a
=> Yes, I think it is. The tunnel must use either tun
or tap at both ends. Client drivers have an impact. If
I remember right, mac OS X prior to 10.3 can't use
tap; windows can't do tun.
I too think OpenVPN is a large beast. I am afraid the
GUI will not be able to allow for the wide range of
configuration that is possible. Examples:
1) On some clients, I had lockups due to packet size
and this type of stuff. At the time (ovpn1.x) that was
solved in the client and server machine confs (ovpn 1
has a p2p design) with fragment, mssfix and the like.
In Ovpn 2, which works in client server fashion that
is solved using custom configuration rules in a "ccd"
directory with per-client rules for server side (and
possibly client side via "push").
2) Under Ovpn 1.x I had about 10 tunnels, which meant
10 tap devices on the server, and 20 conf files. Ovpn
2 has simplified that, but I *still* use 2 Ovpn
deamons. There is one bridging the LAN and another one
serving a DMZ area. Separate processes, confs,
binaries, I feel safer that way. I am certainly not
saying everybody does this, nor that it is the thing
to do. Simply, it is possible to do that, so regularly
twisted people will try doing it.
So. Could a solution be to have the current and nice
GUI for general cases, and expose the configuration
file on the floppy for experts ?
IMHO it would be nice if James Yonan (the OpenVPN
developer) would poke in this discussion. He certainly
is a clever man.
Yahoo! Mail - PC Magazine Editors' Choice 2005