[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: [Openvpn-devel] OpenVPN 2.0 -- Project Update and Release Notes

  • Subject: Re: [Openvpn-users] Re: [Openvpn-devel] OpenVPN 2.0 -- Project Update and Release Notes
  • From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
  • Date: 31 Mar 2004 10:25:39 -0800

On Wed, 2004-03-31 at 01:03, James Yonan wrote:

> > > * Right now clients are allocated a single, dynamic IP address.  It would be
> > > nice if a connecting client could specify a full subnet to be tunneled.

> (2) In general you want to run the VPN server with reduced privilege, to limit
> damage in the case that the server is somehow compromised.  But adding and
> removing routes requires privilege, unless all routes for every possible
> client are configured on server startup, before the privilege downgrade.

Privilege separation? Run multiple processes with different privileges
(actually, minimum privileges each), each one performing a simple and
specific task, and have them communicate somehow.
Like Postfix, or Qmail, or recent OpenSSH versions.

Yeah, it adds complexity, bu then, perhaps it removes some other
complexity. ;-)

Florin Andrei


Openvpn-users mailing list