[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] 2.0_rc6: --auth-user-pass don't work without --pull


  • Subject: Re: [Openvpn-users] 2.0_rc6: --auth-user-pass don't work without --pull
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Thu, 30 Dec 2004 11:56:15 -0700 (MST)

On Thu, 30 Dec 2004, Mathias Sundman wrote:

> On Wed, 29 Dec 2004, James Yonan wrote:
> 
> > On Wed, 29 Dec 2004, Mathias Sundman wrote:
> >
> >> The following config doesn't work without pull on WinXP and OpenVPN
> >> 2.0_rc6:
> >>
> >> dev tap
> >> proto tcp-client
> >> remote xxxx.xxxx.xx 443
> >> tls-client
> >> tls-remote VPN_Server
> >> ca ca.crt
> >> auth-user-pass
> >> tls-auth tls-auth.key
> >> ifconfig 172.20.101.100 255.255.255.0
> >> #pull
> >> nobind
> >> mssfix 1400
> >> resolv-retry infinite
> >> verb 3
> >
> > Right now --auth-user-pass requires --pull because the server uses the
> > push/pull channel to return either the push list on success or an
> > AUTH_FAILED message on failure.  There are other reasons as well why
> > --auth-user-pass cannot work except in client/server mode.
> 
> Fair enough, but shouldn't the error msg then say something like:
>
> Options error: --auth-user-pass requires --pull
> 
> instead of
> 
> Options error: You must define certificate file (--cert) or PKCS#12 file 
> (--pkcs12)

I agree -- I'll change that.
 
> > Basically you'd need to write some code if you wanted to use
> > --auth-user-pass in point-to-point TLS mode.
> 
> I still wanted to use client/server mode, but just not push any options to 
> the client. I though client/server mode could work independent of whether 
> you want to push options or not.

Yes, that should work.  Of course the client config file would then need 
to be complete, i.e. it would need an --ifconfig directive or get its IP 
address from a DHCP server over the tunnel.

One thing to keep in mind is that the client pull is controlled by the
client.  The server basically puts together a push/pull string to be given
to the client if it asks for it.  If the client doesn't use --pull,
then it won't ask the server for the push/pull string. 

> In --dev tun mode I understand the server needs to push the chosen IP 
> address in order to be able to verify the client is using the correct one, 
> but as there is no such check in --dev tap mode, I don't really see what 
> must be pushed (when not using --auth-user-pass).

Yes, that's true -- I just tested it and it works.  I used a --dev tap 
client/server configuration where the client doesn't have a --pull 
directive in its config file, and instead has an explicit --ifconfig.  
Since it's --dev tap, the client can pick any IP address it wants in the 
subnet and just use it.

James


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users