Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just about to set up an openvpn system for member of the public. I'm using a routed (dev tun) openvpn system.
Now my questions is:
I know that I can push certain IP's to clients. Now, on a normal LAN, clients are free to change their IP address manually (Just by going into network settings). Can this be done in Openvpn? Hopefully not
I tried this on a test bed and it didn't work (which is great!) - the server just kept saying "bad source address" or something like that.
So does openvpn really prevent IP spoofing? Or was I not doing something to make my spoof attack work?
Cheers
P.S. The reason why IP is so important is that my squid logging system is based on client IP connections
nice idea,
never tried that - but, i'm wondering which IP/subnet did you push to the VPN client?
was it something like /32, or /30 as p2p links or a standard subnet like /24 etc?
my catch is that you can not change an IP being used in an established VPN session just like that - unlike on basic ethernet network.
just a thought.
anyway, i see that you need a squid mechanism to disconnect an overlimit session in your tunnel server? on the other post.
yes, you can do that - try to search around squid delay pool.
i've seen my friends doing that to limit and even to drop downloads if it has reaching the limit (aside from using ACLs).
yes, the basic squid delay pool purpose was only to limit/shaping the link - but, with a little hack - it can drop the connection too.
HTH.
Last edited by rossonieri#1; 04-17-2009 at 12:41 AM.
That's great about openvpn ip spoofing! One stept closer to my needs!
You were mentioning Squid delay pools - is there any way to log the amount used though and somehow dynamically change them if e.g. the client were to "top his account up"?
but the drop if over limit mechanism should be done via delay pool. if you can write some script - i think you can combine them both.
and you can also put an openldap-based browser authentication - so that you dont have to open the whole VPN port - just what your users need to have like 80, 443, 53 etc.
HTH.
Last edited by rossonieri#1; 04-18-2009 at 10:46 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.