[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Persistant client tunnels with static IP's


  • Subject: Re: [Openvpn-users] Persistant client tunnels with static IP's
  • From: Mike Tancsa <mike@xxxxxxxxxx>
  • Date: Mon, 17 Oct 2005 22:12:41 -0400

At 08:53 PM 17/10/2005, Roland Pope wrote:
----- Original Message ----- From: "Mike Tancsa" <mike@xxxxxxxxxx>
Why not bind sshd to all interfaces, and then add a firewall rule to block all inbound access to port 22, except for the IP that you eventually assign to the tun interface? That way you dont have to mess about HUP'ing sshd or getting it to startup post connection etc.
Unfortunately, I have to work within some company security policy contraints that do not allow me to have an SSH daemon listening on an Internet Interface, and as result, I have to explicitly specify the bind address.
This is to prevent the possibility that SSH access from the Internet becomes available due to a misconfigured firewall or failure of a firewall rules load while still allowing manament ssh access.

Not sure why the possibility of misconfiguring firewall rules (I would put them locally on the box itself) are any better or worse than misconfiguring how sshd starts up or sshd's config file? But thats a different issue.


I guess your option is to start and stop sshd on the client up and down events. I have a client box I am testing that does a bgp clean session on up and down, and things seem to fire just fine from the client side. I have been testing for about half a day now booting off a dialup modem every 6 min, and it seems to be reliable enough. I plan to run it a few more days of tests to make sure all works reliable. Dont see why it should not.

        ---Mike




Roland




------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users