Re: [Openvpn-users] Block vpn clients depending on version?

[Jon Bendtsen <jon.bendtsen@xxxxxxxxxx>]

Den torsdag 2.mar kl. 14:16 skrev Per-Olov Sjöholm:

> On Thursday 02 March 2006 13.16, you wrote:
> > Den torsdag 2.mar kl. 12:55 skrev Per-Olov Sjöholm:

[cuuuuuuuut]

> Don't get it... But I will try to find more info about "--disable- 
> occ".

Actually i think that occ disabled the check, so you dont want to
do that.


> Revoke the cert and give out a new one together with a new software  
> package is
> not an option for 160 users....

Actually it is not that impossible. Especially if you use a smart
setup for distributing the certificates and openvpn packages.

Below is a description of my setup. Can i hear yours as well?
You have alot more users than me, so maybe your setup is
smarter, and you have thought of things i havent.


I use EJBCA, along with an extension i made myself (and submitted
as a ptach to EJBCA). This generates an email with a onetime
password instructing users to go to a url and start the download. Once
there the certificate is generated and i make a windows installer
package for all my users.

Should anyone intercept the email and download the certificate
it will not work once the user tries to download, and then they can
alert you.

Since EJBCA can have multiple active certificates pr. user, all
you need to do is trigger the generation of these emails to the
users. Then you wait a week and you revoke the old certificate.
This allows your user one week to upgrade. You could do a
month as well.

You could do something to verify that they use the new certificate
to the VPN tunnel, and then automatically revoke the old.


I do agree that a check at the server would be smarter, but i
dont know if there is any.


Below is a copy of the mail that i sent my windows users:



DOWNLOAD:
-------------------
Please go the the following URL and download the windows installer  
package:
    https://                                 /ejbca/publicweb/apply/ 
apply_main_openvpn.jsp
Use the password and username supplied above, press [OK] to log in.

PLEASE NOTE:    generating the OpenVPN windows installer package can  
take 30-60 seconds. So be patient and just wait.

It does not matter if you choose 1024 or 2048 as keysize, but i am  
unsure about 4096,
the bigger nummer, the more safe it is, but it also takes twice as  
long time to generate.

If the password does not work, please contact me IMMEDIATELY  
at   ...@xxxxxxxxxx
        (just choose reply to this message)
However be adviced that the password only works once, meaning if  
something goes
wrong during your attempt to get the certificate i will have to do  
something about it.
It only works once because this email is not protected at all, and  
someone could
possibly have read it. So, if the password does not work, it might be  
because someone
else got there before you, which is why i need to know quickly if  
something like this
happened. I can then block access from the generated OpenVPN package and
issue you a new one. But i would need to know, so if there are  
trouble, mail me.


INSTALLING:
-------------------
To install please double click the file and follow the options on  
screen,
which will appear like this, where [...] indicates a button
	[next]

	[i agree]

	Usually the default is acceptable, but if you want to check it should
	be: the 4 top choices should be marked on. The next 2 choice
	should be marked off, and then the rest marked on.

	[next]

	[install]

	After some minutes of working a new windows appears. This window
	is a warning that says something about installing
		TAP-win 32 adapter V8
	Please press 	[continue anyway]

	[next]

	[finish]


OpenVPN should now be installed and you can connect to some services
inside the Laerdal Sophus network. To control the tunnel there is a  
small
icon in the icon process bar, which usually is in the lower right of  
the screen.
The icon is 2 computers with a red monitor. If connected the monitor  
is green.
One computer is behind the other computer. To control it rightclick  
and a little
menu appears. The meny consists of a some options, but you only need to
use 3 options:
	Connect
	Disconnect
	Change Password

To begin with please choose Change Password and use the password that
is supplied above. Once you have changed your password, you can
use the		Connect		option.







-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users