[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] 2.0 Feature Freeze Discussion

  • Subject: Re: [Openvpn-users] 2.0 Feature Freeze Discussion
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Fri, 3 Dec 2004 12:55:02 -0700 (MST)

On Fri, 3 Dec 2004, Leonard Isham wrote:

> > > 1) At the moment user/pass is in addition to TLS certificate.  Could the
> > > server perhaps optionally accept either the one or the other?
> > >
> > > 2) The ability for the server to listen on several ports and protocols.
> > >
> > 
> >     I would love to see this too. While playing with 2.0 betas I found that
> > many ISPs have really strange ip filters - we have one that blocks almost
> > any UDP, another that blocks tons of TCP ports but leaves UDP, some allow
> > only proxy acces (they really sux) and so on and so on... Having to run
> > two servers (one for UDP and one for TCP) in separate ip pools makes
> > management harder. Delaying this for 2.1 for me is OK too...
> > 
> For option 1 this breaks security best parctices and IMHO should not
> be implimented.  I already used the soapbox for this in another post
> so see that for my full argument.
> Option 2 would be nice but I think that would need to wait for 2.1.

I'm not very keen on (1) from a security perspective.  Much of the 
security of using certificates falls away if a certificate is not 

While I would say that a central goal of OpenVPN is to provide a
high-level of both security and flexibility without forcing policy, I tend
to lean against features which confuse by providing a false sense of
security.  And I think either/or authentication policies sort of fall into
that category because any attacker is simply going to choose the weakest
of the either/or choices and attack that.

It also seems that both of these of requests can be satisfied fairly
easily by running multiple daemons.  True, it's more work from a
management perspective, but it also helps to control OpenVPN's internal
complexity by not trying to do too many things at once and letting the OS
do what it does best, i.e. multitask different instances of the same

The more that OpenVPN allows multiple configurations to be implemented
inside the same daemon, the more the code starts to complexify into 
something that looks more like a user-space operating system and network 
stack than a simple, event-driven daemon.


Openvpn-users mailing list