[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] auth-user-pass-verify security problem?

  • Subject: [Openvpn-users] auth-user-pass-verify security problem?
  • From: Didier Conchaudron <didier@xxxxxxxxxxxxxxx>
  • Date: Mon, 13 Dec 2004 16:15:00 +0100

Hi all,

I was wondering why the directive auth-user-pass-verify is executed when the peer connection is still untrusted? (like it's written in the man page)

In my opinion, it would be better to put this directive as client-connect, because this one is executed when the peer is trusted.

Here's my real problem: My client use TLS and I want those users to authenticate on my LDAP, and after to put some iptables rules corresponding to their profile. So I use the auth-user-pass-verify directive as a way to authenticate on my network, more than another method to provide secure access on the vpn server.

Another way would be to add a tls-verify. That way my understading of the thing is that tls-verify is executed before auth-user-pass-verify send the user/pass throw network. So use tls-verify could provide a trusted connection and so we can securely give user/pass throw the initiating tunnel.

Later I can put iptables on the client connection with client-connect script.

Finally,in the right order:

net untrusted:
	1)  tls-verify
net now trusted:
	2) auth-user-pass-verify
User authenticated
	3) client-connect
iptables applied
tunnel running.

What to you think of that?


Openvpn-users mailing list