[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] 2.0_rc6: --auth-user-pass don't work without --pull

  • Subject: Re: [Openvpn-users] 2.0_rc6: --auth-user-pass don't work without --pull
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Thu, 30 Dec 2004 06:52:22 +0100 (CET)

On Wed, 29 Dec 2004, James Yonan wrote:

On Wed, 29 Dec 2004, Mathias Sundman wrote:

The following config doesn't work without pull on WinXP and OpenVPN

dev tap
proto tcp-client
remote xxxx.xxxx.xx 443
tls-remote VPN_Server
ca ca.crt
tls-auth tls-auth.key
mssfix 1400
resolv-retry infinite
verb 3

Right now --auth-user-pass requires --pull because the server uses the push/pull channel to return either the push list on success or an AUTH_FAILED message on failure. There are other reasons as well why --auth-user-pass cannot work except in client/server mode.

Fair enough, but shouldn't the error msg then say something like:

Options error: --auth-user-pass requires --pull

instead of

Options error: You must define certificate file (--cert) or PKCS#12 file (--pkcs12)

Basically you'd need to write some code if you wanted to use
--auth-user-pass in point-to-point TLS mode.

I still wanted to use client/server mode, but just not push any options to the client. I though client/server mode could work independent of whether you want to push options or not.

In --dev tun mode I understand the server needs to push the chosen IP address in order to be able to verify the client is using the correct one, but as there is no such check in --dev tap mode, I don't really see what must be pushed (when not using --auth-user-pass).

It's no problem for me though, cause I dicided to push the IP adress after all also in this setup.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail