Re: [Openvpn-users] Block vpn clients depending on version?

[Per-Olov Sjöholm <pos@xxxxxxxxxx>]

On Thursday 02 March 2006 14.45, Jon Bendtsen wrote:
> Den torsdag 2.mar kl. 14:16 skrev Per-Olov Sjöholm:
> > On Thursday 02 March 2006 13.16, you wrote:
> >> Den torsdag 2.mar kl. 12:55 skrev Per-Olov Sjöholm:
>
> [cuuuuuuuut]
>
> > Don't get it... But I will try to find more info about "--disable-
> > occ".
>
> Actually i think that occ disabled the check, so you dont want to
> do that.
>
> > Revoke the cert and give out a new one together with a new software
> > package is
> > not an option for 160 users....
>
> Actually it is not that impossible. Especially if you use a smart
> setup for distributing the certificates and openvpn packages.
>
> Below is a description of my setup. Can i hear yours as well?
> You have alot more users than me, so maybe your setup is
> smarter, and you have thought of things i havent.
>
>
> I use EJBCA, along with an extension i made myself (and submitted
> as a ptach to EJBCA). This generates an email with a onetime
> password instructing users to go to a url and start the download. Once
> there the certificate is generated and i make a windows installer
> package for all my users.
>
> Should anyone intercept the email and download the certificate
> it will not work once the user tries to download, and then they can
> alert you.
>
> Since EJBCA can have multiple active certificates pr. user, all
> you need to do is trigger the generation of these emails to the
> users. Then you wait a week and you revoke the old certificate.
> This allows your user one week to upgrade. You could do a
> month as well.
>
> You could do something to verify that they use the new certificate
> to the VPN tunnel, and then automatically revoke the old.
>
>
> I do agree that a check at the server would be smarter, but i
> dont know if there is any.
>
>
> Below is a copy of the mail that i sent my windows users:
>
>
>
> DOWNLOAD:
> -------------------
> Please go the the following URL and download the windows installer
> package:
>      https://                                 /ejbca/publicweb/apply/
> apply_main_openvpn.jsp
> Use the password and username supplied above, press [OK] to log in.
>
> PLEASE NOTE:    generating the OpenVPN windows installer package can
> take 30-60 seconds. So be patient and just wait.
>
> It does not matter if you choose 1024 or 2048 as keysize, but i am
> unsure about 4096,
> the bigger nummer, the more safe it is, but it also takes twice as
> long time to generate.
>
> If the password does not work, please contact me IMMEDIATELY
> at   ...@xxxxxxxxxx
>          (just choose reply to this message)
> However be adviced that the password only works once, meaning if
> something goes
> wrong during your attempt to get the certificate i will have to do
> something about it.
> It only works once because this email is not protected at all, and
> someone could
> possibly have read it. So, if the password does not work, it might be
> because someone
> else got there before you, which is why i need to know quickly if
> something like this
> happened. I can then block access from the generated OpenVPN package and
> issue you a new one. But i would need to know, so if there are
> trouble, mail me.
>
>
> INSTALLING:
> -------------------
> To install please double click the file and follow the options on
> screen,
> which will appear like this, where [...] indicates a button
> 	[next]
>
> 	[i agree]
>
> 	Usually the default is acceptable, but if you want to check it should
> 	be: the 4 top choices should be marked on. The next 2 choice
> 	should be marked off, and then the rest marked on.
>
> 	[next]
>
> 	[install]
>
> 	After some minutes of working a new windows appears. This window
> 	is a warning that says something about installing
> 		TAP-win 32 adapter V8
> 	Please press 	[continue anyway]
>
> 	[next]
>
> 	[finish]
>
>
> OpenVPN should now be installed and you can connect to some services
> inside the Laerdal Sophus network. To control the tunnel there is a
> small
> icon in the icon process bar, which usually is in the lower right of
> the screen.
> The icon is 2 computers with a red monitor. If connected the monitor
> is green.
> One computer is behind the other computer. To control it rightclick
> and a little
> menu appears. The meny consists of a some options, but you only need to
> use 3 options:
> 	Connect
> 	Disconnect
> 	Change Password
>
> To begin with please choose Change Password and use the password that
> is supplied above. Once you have changed your password, you can
> use the		Connect		option.


It seems you have done much more than me in this area. The windows clients 
just receive a link to Mattias Sundmans openvpn-2.0.5-gui-1.0.3-install.exe. 
Then we send them  the needed files like...
CA_cert.pem
VPN-proxy.conf
VPN-proxy.ovpn
VPN-std.conf
VPN-std.ovpn
ta.key
CuserNN.pem
KuserNN.pem

Then they have to make a phone call for the initial password they later have 
to change.

The certs above are created with...
openssl req -new -keyout keys/KuserNN.pem -out req/RuserNN.pem -days 9125
openssl ca -out certs/CuserNN.pem -infiles req/RuserNN.pem
openssl verify -CAfile CA_cert.pem certs/CuserNN.pem


So build up an environment like yours will cost me very much time that I don't 
at the moment have.


I really hope it's possible to do it in an easier way like an config option in 
the OpenVPN server..

Thanks
Per-Olov Sjöholm


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users