VPN with authentication/encryption with separate tap interface for each client

Posted on

VPN with authentication/encryption with separate tap interface for each client – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, networking, vpn, tap, .

is there any VPN program that handles client authentication, data encryption and ends in a tap interface for every authenticated client?

I need 1 shared UDP port (VPN service port) to which clients are connecting with VPN protocol and and I need that every authenticated client ends up in its own tap interface.. this allows me to set up firewall, routing, different dhcp server, … for every client connected to VPN concentrator separately.

OpenVPN is not an option because I don’t know to setup 1 external port -> separate tap interfaces. I don’t want to do routing or whatever filtering in the VPN daemon, this is kernel’s job.

If it doesn’t exist I’m going to write my own app (will be GPL or so, of course).

Thank you!

Solution :

Check into OpenVPN’s learn-address setting, you can run a script that sets up a custom table for each client, then in your FORWARD table add a rule that jumps to that custom table based on the client’s source address (with a final default deny for all forwarding). That’s how I handle it here, each client has a file that contains one CIDR entry per line, that becomes their custom table and defines what networks/hosts they are able to access via the VPN (if you need to filter on protocols/ports rather than simply networks/hosts, just do a bit more scripting).

OpenVPN is not an option because you don’t know how to use it? You have told us what your requirements are. Leave it up to the answers what turns out to be an option or not.

First point: You can use iptables CONNMARK and MARK targets for marking everything from a certain client. This can be used for firewalling and routing. I doubt that you need several DHCP servers as you can set each clients configuration based on its L2 address.

If you really need one interface per DHCP instance this should be possible with virtual interfaces: Enslave veth0 to the VPN-tap bridge and bind the DHCP server to veth1 or similar. The separation of the bridged VPN clients can be done by ebtables.

It’s hard to believe that anyone could seriously consider writing a VPN software because he wants to use only one UDP port (why?). Even this could easily be realized by NAT. You just have to be able to associate client configurations to source addresses. And even with completely dynamic client IP addresses this could be enforced by creating a non-encrypted IP tunnel first.

Leave a Reply

Your email address will not be published.