[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Notify client on disconnect


  • Subject: Re: [Openvpn-users] Notify client on disconnect
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Thu, 6 Jan 2005 22:18:19 +0100 (CET)

On Thu, 6 Jan 2005, James Yonan wrote:


On Wed, 5 Jan 2005, Mathias Sundman wrote:

When --duplicate-cn is not beeing used the first client is disconnected if
a second client connects with the same certificate.

This is exactly how it should be, however, the symptoms on a client that
is disconnected this way is just like you have lost connectivity, and
ping-restart causes a reconnect which makes the tunnel work for a few
seconds again.

I've done this by mistake twice now, and was just as frustrated both times
what the heck was wrong! The log gives me no clue why it's
ping-restarting.

I know I shouldn't be copying my certificate to other machines, but
sometimes I do for testing, and this would also happend if your key/cert
got stolen.

Therefor I'd like to ask how much work it would take, and if it would be a
good thing to add a feature that notifies the client that it will be
disconnected due to a second connection with the same cert, so this can be
printed in the clients log.

Normally this happends if you have really lost connectivity and
reconnects, but in this case the old client is already gone, so no false
log message will be printed. But if you do the same misstake as me, or if
your cert has really been stolen and someone tries to connect while
you're connected, then you could see this in the log.

I agree that some kind of notification would make sense. I'd like to throw away the current explicit-exit-notify implementation and redo in a way that touches all the bases, i.e. bidirectional exit notify with ACK and reason codes. Then the client would get a message that says "you were disconnected because another client with the same common name connected."

That makes sence.

It's probably going to be a 2.1 thing, because it involves global changes
to the code as well as protocol changes and will probably take a few beta
releases of testing to stabilize.

Fine with me.

/Mathias