First of all, thank you all for this great software. Openvpn amazed me from te beginning and still does, as I keep discovering its capabilities.
And now a couple of questions. This is my current setup:
Openvpn (2.0b15) in "server mode" (multiclient). Authentication is done
(obviously) with x.509 certificates and configuration
is pushed to the clients with static routes and so on. All is working
fine. Now, I'd like to implement a sort of "dynamic firewall",
which applies iptables rules on a "per certificate" basis. I am
implementing this using the useful "--learn-address" switch with openvpn.
The idea is to get the cn of the certificate, and get the rules to be
applied from configuration files, or database, or ldap, or whatever, as soon as the tunnel is opened and ip/routes/subnets appear..
Now, a couple of questions rise:
1 - when does the "delete" event raised from openvpn with
--learn-address occur? I tried launching the openvpn server with a
simple command that echoes the parameters passed by leard-address,
but received mostly "add" and "update". Just once I received the "delete" event, and can't really reproduce the behaviour.
I supposed that closing the connection from either peer would produce a "delete" event but it doesn't.
I also supposed that some sort of timeout comes in after a while (after the connection is closed from the client), but no "delete" even after
So, if I get from learn addr, for example:
add 10.8.0.6 mycert.mydomain.com ---> ok, read mycert.mydomain.com rules and apply 'em to 10.8.0.6 update 10.8.0.6 mycert.mydomain.com ---> ok, read mycert.mydomain.com rules and apply 'em to 10.8.0.6 delete 10.8.0.6
how could I flush/delete the rules/chains read from "mycert.mydomain.com" configuration, since I loose the "ip - common name" binding?
An idea could be to create chain names as, for example, 10_8_0_6 in this case, and drop the chain according to the ip. Anyway, the whole idea behind the cn usage should be to manage firewall rules at a higher level (rules based on the user/certificate, not on its dynamic ip).
Any suggestion would be greatly appreciated. Keep up the incredible work :-)
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users