[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: Post 2.0 feature request


  • Subject: Re: [Openvpn-users] Re: Post 2.0 feature request
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Tue, 18 Jan 2005 18:44:34 -0700 (MST)

On Tue, 18 Jan 2005, Mathias Sundman wrote:

> On Tue, 18 Jan 2005, Charles Duffy wrote:
> 
> > On Tue, 18 Jan 2005 11:18:48 +0100, Mathias Sundman wrote:
> >
> >> I have some problem with people installing OpenVPN on multiple computers
> >> and then it would be helpful to see in the server log the hostname of the
> >> client computer.
> >
> > Hmm. I just have a convention for CNs that goes like
> > <username>-<extraname>.vpn.company.com, where the key-generation
> > instructions document to the user that <extraname> should be something
> > that identifies the system they're using. (CSRs are manually reviewed
> > before signing, so IT can bounce back a certificate that fails to follow
> > this convention).
> >
> > As long as I don't use duplicate-cn, the users have plenty of motivation
> > to build extra certificates for their spare machines, and so I don't find
> > that the problem you describe is one that I have.
> 
> I don't use --duplicate-cn either. The problem is that all users don't 
> realize that using the same certificate on multiple machines causes 
> problems. They are not allowed to copy the certificate to another machine 
> at all, so even if they never connect simultainously, I want to know if 
> they connect from another machine than the allowed one.
> 
> I just think it would be useful to have some info about the connecting 
> system, like the hostname, in the server log.

I think it would be a fairly easy feature to add.  There's already a
control channel for messages like PUSH_REQUEST, PUSH_REPLY, AUTH_FAILED,
etc.  We can just make a new message type called "INFO" which either side
can send, and which upon receipt will be echoed to the logfile.

James



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users