[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: client-connect script return value

  • Subject: Re: [Openvpn-users] Re: client-connect script return value
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 15 Dec 2004 04:34:59 -0700 (MST)

On Wed, 15 Dec 2004, Didier Conchaudron wrote:

> Charles Duffy wrote:
> > On Tue, 14 Dec 2004 15:14:00 -0700, James Yonan wrote:
> > 
> > 
> >>The client-connect script is a post-authentication step.
> >>
> >>If you want to do authentication, use tls-verify or auth-user-pass-verify.
> >>
> >>The learn-address script is the best place to deal with rules which are 
> >>tied to particular client's usage of particular IP addresses or MAC 
> >>addresses.
> > 
> > 
> > Granted. However, in a situation where a client is correctly authenticated
> > but an error is encountered in setting firewall rules appropriate to that
> > client, it'd be nice to have the VPN fail closed rather than leaving the
> > VPN/firewall combo in an uncertain state.
> I'm agree. Even if the firewall don't set up rules and don't give access 
> to the client, the user is still thinking the tunnel is up and running.
> He don't have to know why his access is not granted, but the openvpn 
> server admin have to!
> I like the way --learn-address works but it may be better to make him 
> aware of the returned value ;-)

I am going to fix this for rc5.

The client-connect script/plugin will be able to veto client
authentication by returning a failure code and the learn-address
script/plugin will be able to prevent an client-instance/address
association from being learned by returning a failure code.


Openvpn-users mailing list