I was wondering why the directive auth-user-pass-verify is executed when the peer connection is still untrusted? (like it's written in the man page)
In my opinion, it would be better to put this directive as client-connect, because this one is executed when the peer is trusted.
Here's my real problem: My client use TLS and I want those users to authenticate on my LDAP, and after to put some iptables rules corresponding to their profile. So I use the auth-user-pass-verify directive as a way to authenticate on my network, more than another method to provide secure access on the vpn server.
Another way would be to add a tls-verify. That way my understading of the thing is that tls-verify is executed before auth-user-pass-verify send the user/pass throw network. So use tls-verify could provide a trusted connection and so we can securely give user/pass throw the initiating tunnel.
Later I can put iptables on the client connection with client-connect script.
Finally,in the right order:
net untrusted: 1) tls-verify net now trusted: 2) auth-user-pass-verify User authenticated 3) client-connect iptables applied tunnel running.
What to you think of that?
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users