[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Connection resetting on very large file transfers

  • Subject: Re: [Openvpn-users] Connection resetting on very large file transfers
  • From: Sean Patrick <spatuality@xxxxxxxx>
  • Date: Thu, 2 Sep 2004 23:46:46 -0400 (EDT)
 --- James Yonan <jim@xxxxxxxxx> wrote: 
> 
> 
> On Wed, 1 Sep 2004, Sean Patrick wrote:
> 
> >  --- James Yonan <jim@xxxxxxxxx> wrote: 
> > > 
> > > 
> > > On Wed, 1 Sep 2004, Sean Patrick wrote:
> > > 
> > > > Hi list,
> > > > 
> > > > Thanks to your help, I have been able to get
> > > OpenVPN
> > > > 1.4.0b10 setup between our servers and remote
> > > client
> > > 

<snip>

> > Would it be possible to push an entire config, and
> > have the client just reconnect to use the
> settings?
> 
> This is an interesting idea.  The problem is one of
> security.  You are
> allowing the server to generate a complete config
> file and send it to the
> client.  This goes far beyond the more restrictive
> semantics of
> --push/--pull and creates a scenario where a
> compromised server would have
> no problem "owning" a connecting client's machine. 
> Since OpenVPN config 
> files can execute shell commands, there's an obvious
> danger in allowing 
> them to be imported.
> 
> Of course the other side of the equation is that
> allowing the server to 
> update the client side config file is a powerful
> usability feature, and 
> one that might make sense in some environments.  I
> can still see other 
> problems though:
> 
> (1) What if you push a bad config file update to the
> client, and now it 
> can't reconnect?

Maybe having the client try after the setting are
pushed, and if it can't connect after eg. 3 retries,
it reverts back to the previous config.

> 
> (2) What if you push a config file update to the
> client which changes a 
> connection parameter such as the cipher type.  Now
> you have to orchestrate 
> the switchover so that the client will try to
> reconnect with another 
> server which also uses the same cipher type. 
<snip>

This is essentialy what we are doing now anyways. With
customer computers, the only way we can update their
configs currently is by resending out an install file
which updates their OpenVPN configuration. It may be a
long time, if ever, that some clients update. At that
point, our server is updated, and they can't connect
anymore.

Just some thoughts...

Brian


______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca