[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Multiple users on a single port - It works :)

  • Subject: Re: [Openvpn-users] Multiple users on a single port - It works :)
  • From: Stefan `Sec` Zehl <sec+ovpn@xxxxxx>
  • Date: Mon, 26 Jan 2004 18:58:09 +0100
  • Accept-languages: de, en

On Mon, Jan 26, 2004 at 17:12 -0000, James Yonan wrote:
> Stefan `Sec` Zehl <sec+ovpn@xxxxxx> said:
> > OpenVPN-client connects server on Well Known port (e.g. 5000).
> > A 'broker'-type daemon listens on 5000 and forks off a new OpenVPN server
> > , whichlistens on a new (unused,random-numbered) udp socket (e.g.
> > 42192) and replies to client to use that port instead.
> > 
> > All further communication with this single client goes via that port
> > now, and the broker daemon can still listen on port 5000.
> The problem with this is that the port change semantics will surprise the
> firewall, and therefore require static rules to allow the range of UDP ports
> on the server side to be used as dynamic ports.

Are you sure?

Maybe I was unclear in the description. Of course the broker daemon
needs to send the answer-packet containing the new port number.

Then, from the perspective of the firewall, it looks like two different,
normal UDP connections, which are initiated by the OpenVPN client.
(granted: the first one is a bit short :-)

Some care must be taken with the implementation so that the server isn't
easily DoSable, but other than that, I don't see a problem.

For the other problem, the one involving fumbling fingers driven by fading
grey cells, I recommend deep hypnosis and a cold shower.         -- Wietse

The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Openvpn-users mailing list