|
|
I've been using OpenVPN 1.0 for a while and am about to switch to 2.0. I'd really like to take advantage of the single server feature (no need to allocate port numbers to users, no need to mangle firewall configurations per-user), but don't want access control to depend upon a CRL. Can this be achieved? I also want a particular one of the clients to appear through its own tun device for seperate firewall treatment, is this possible in the single-server context? My concern about the use of the CRL is that I'd prefer to allow access on a prohibited-unless-permitted basis rather than a permitted-unless-prohibited basis not only because that is good practice, but because of the risk of someone forgetting to add the CN of a departing user to the CRL (combined with the difficulty of having a subsequent audit pick this up; a difficulty that does not arise if a list of all permitted users is present). As far as I can tell, 2.0's PKI implementation does not allow me to provide an explicit list of authorised CNs, all that it can do is treat all certs signed by the CA as valid, except for those listed in the CRL (in other words, for anyone who has ever been an employee, or at least who has been an employee within the last, say, year, access is permitted-unless-prohibited). More broadly, managing even a minimal CA is an overhead that I could do without. At first blush the ccd/ sub directory and/or the --auth-user-pass-verify mechanisms appear to offer some hope, but I can't see a straightforward way to achieve what I have in mind. (The --auth-user-pass-verify mechanism doesn't appear to provide information about the cn of the cert used to authenticate and it's not clear to me how the ccd/ mechanism handles authentication for clients which have no subdirectory.) What I'd really like to do is to store a static key per user, but still share the same UDP port. The special firewall treatment for one client is tied up with an assumption that the OpenVPN server is not validating the sender IP addresses on inbound datagrams, so filtering by IP address on the firewall would not be adequate (an adversary could, in principle at least, falsify sender IP addresses). If a seperate tun device cannot be allocated for a single client, can such filtering be performed on a per-datagram basis in the server, or do I really to run a seperate OpenVPN instance on a seperate UDP port? - Raz ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00027.html on line 216 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00027.html on line 216 |