[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Re: Transparency with openvpn


  • Subject: [Openvpn-users] Re: Transparency with openvpn
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Fri, 21 Oct 2005 06:08:44 -0500

Steve Crook wrote:
I have a scenario where Alice is located on an untrusted network, she
connects to a server in a Data Centre which is located behind a DMZ.
For contractual reasons, the server keeps audit logs and must see
Alice's real incoming IP address.

I want to encrypt Alice's traffic from the point it leaves her
workstation to a point within the Data Centre DMZ, *without* losing
auditability of Alice's connection.  Is this possible?

If I understand your problem correctly, I certainly think so.

Whichever system is running the OpenVPN daemon inside the data centre knows both Alice's real IP and her address used inside the tunnel. The easiest approach, if it works for 'yall, would be simply to log those pairs for later correlation, or perhaps expose them to other systems within the trusted network for real-time correlation.

I use DNS to expose this information. When the user foo connects, "foo.vpn.mycompany.com" is set to their VPN address and "foo.external.mycompany.com" is set to their real address; reverse mapping entries are also made for the VPN address. Thus, anyone who wants to know the external address someone is coming to over the VPN merely reverses them to foo.vpn.mycompany.com and does a forward lookup on foo.external.mycompany.com... and there they are.

Does this adequately address your problem?


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users