[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: client-connect script return value

  • Subject: Re: [Openvpn-users] Re: client-connect script return value
  • From: Didier Conchaudron <didier@xxxxxxxxxxxxxxx>
  • Date: Wed, 15 Dec 2004 11:19:23 +0100

Charles Duffy wrote:
On Tue, 14 Dec 2004 15:14:00 -0700, James Yonan wrote:

The client-connect script is a post-authentication step.

If you want to do authentication, use tls-verify or auth-user-pass-verify.

The learn-address script is the best place to deal with rules which are tied to particular client's usage of particular IP addresses or MAC addresses.

Granted. However, in a situation where a client is correctly authenticated
but an error is encountered in setting firewall rules appropriate to that
client, it'd be nice to have the VPN fail closed rather than leaving the
VPN/firewall combo in an uncertain state.

I'm agree. Even if the firewall don't set up rules and don't give access to the client, the user is still thinking the tunnel is up and running.

He don't have to know why his access is not granted, but the openvpn server admin have to!

I like the way --learn-address works but it may be better to make him aware of the returned value ;-)



Openvpn-users mailing list