[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] management interface questions


  • Subject: [Openvpn-users] management interface questions
  • From: Daniel Lehmann <ov_users@xxxxxx>
  • Date: Fri, 21 Jan 2005 03:16:13 +0100

Hi,

I have two questions concerning the management interface. In first, I
think this is a great feature of openvpn.

But I think that openvpn react strange, if you use management-hold. If
you are using a tls secured connection and you are doing a hold release
dependig if your key is secured by a passphrase you might be asked for
it. If you enter the wrong key openvpn terminates. 

I think this should be changed. You can't improve security by this, as
anybody could use the openssl command to brute-force the passphrase.
In second, a user without admin privileges can't restart openvpn and
have to ask his admin or reboot the maschine.
Maybe openvpn should return to the " Need hold release from management
interface, waiting..." status or ask for the passphrase again.


Furthermore I have a feature request. Imagine the situation, where there
is a computer used by different (non-admin) persons and openvpn provides
them a secure connection via certificates and keys. With the new GUIs,
they all can use openvpn.
In this scenario not the persons are authenticated against openvpn but
the computer - as there is only one certificate/key used by all of them.
Starting an individual connection for each user isn't that easy, as you
maybe don't know which of the legitimate users might use this computer.
In addition, each openvpn instance had to open it's own management
interface at a different port. The GUI had to know which user needs
which managment interface at which port.

Maybe it is possible to enhance the management interface, that the
pkcs12 file can be read from the management interface and not from disk.
There could be a special option for this (management-readpkcs12) and if
the binary data is a problem it could be base64 encoded or something
like this.
So the GUI could load the pkcs12 file and write it to the management
interface. So there would be real multi-user support in the given
scenario.

How do you think about this?
leh




____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users