[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Notify client on disconnect

  • Subject: Re: [Openvpn-users] Notify client on disconnect
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Thu, 6 Jan 2005 14:22:35 -0700 (MST)

On Wed, 5 Jan 2005, Mathias Sundman wrote:

> When --duplicate-cn is not beeing used the first client is disconnected if 
> a second client connects with the same certificate.
> This is exactly how it should be, however, the symptoms on a client that 
> is disconnected this way is just like you have lost connectivity, and 
> ping-restart causes a reconnect which makes the tunnel work for a few 
> seconds again.
> I've done this by mistake twice now, and was just as frustrated both times 
> what the heck was wrong! The log gives me no clue why it's 
> ping-restarting.
> I know I shouldn't be copying my certificate to other machines, but 
> sometimes I do for testing, and this would also happend if your key/cert 
> got stolen.
> Therefor I'd like to ask how much work it would take, and if it would be a 
> good thing to add a feature that notifies the client that it will be 
> disconnected due to a second connection with the same cert, so this can be 
> printed in the clients log.
> Normally this happends if you have really lost connectivity and 
> reconnects, but in this case the old client is already gone, so no false 
> log message will be printed. But if you do the same misstake as me, or if 
> your cert has really been stolen and someone tries to connect while 
> you're connected, then you could see this in the log.

I agree that some kind of notification would make sense.  I'd like to 
throw away the current explicit-exit-notify implementation and redo in a 
way that touches all the bases, i.e. bidirectional exit notify with ACK 
and reason codes.  Then the client would get a message that says "you were 
disconnected because another client with the same common name connected."

It's probably going to be a 2.1 thing, because it involves global changes 
to the code as well as protocol changes and will probably take a few beta 
releases of testing to stabilize.  


The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list