|
|
Hi, I have two questions concerning the management interface. In first, I think this is a great feature of openvpn. But I think that openvpn react strange, if you use management-hold. If you are using a tls secured connection and you are doing a hold release dependig if your key is secured by a passphrase you might be asked for it. If you enter the wrong key openvpn terminates. I think this should be changed. You can't improve security by this, as anybody could use the openssl command to brute-force the passphrase. In second, a user without admin privileges can't restart openvpn and have to ask his admin or reboot the maschine. Maybe openvpn should return to the " Need hold release from management interface, waiting..." status or ask for the passphrase again. Furthermore I have a feature request. Imagine the situation, where there is a computer used by different (non-admin) persons and openvpn provides them a secure connection via certificates and keys. With the new GUIs, they all can use openvpn. In this scenario not the persons are authenticated against openvpn but the computer - as there is only one certificate/key used by all of them. Starting an individual connection for each user isn't that easy, as you maybe don't know which of the legitimate users might use this computer. In addition, each openvpn instance had to open it's own management interface at a different port. The GUI had to know which user needs which managment interface at which port. Maybe it is possible to enhance the management interface, that the pkcs12 file can be read from the management interface and not from disk. There could be a special option for this (management-readpkcs12) and if the binary data is a problem it could be base64 encoded or something like this. So the GUI could load the pkcs12 file and write it to the management interface. So there would be real multi-user support in the given scenario. How do you think about this? leh ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |