[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: Re: Re: Re: IP Allocation

  • Subject: [Openvpn-users] Re: Re: Re: Re: IP Allocation
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Wed, 12 Jan 2005 16:49:21 -0600

On Wed, 12 Jan 2005 20:38:20 +0000, Helder Miguel Gaspar Rodrigues wrote:

> What you think about the configuration settings? its a wifi enviroment.

Comments below.

> duplicate-cn

Evil. Bad security policy (can't just replace one client's certificate,
need to replace all of them if any client is compromised), prevents you
from using the CN as a key to do Useful Things in your scripting (like
handing out IP addresses, adding DNS entries, etc), and makes it pretty
darned easy for any client to pretend to be any other (since they don't
have distinct keys, they only need to change their IP addresses).

You should seriously rethink using this.

> mtu-test
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1450

Just curious -- did you really need to set these? I'm accustomed to
current versions of OpenVPN doing The Right Thing quite out-of-the-box.

> ping 10
> ping-restart 120
> push "ping 10"
> push "ping-restart 60"

I find that the keepalive directive helps keep things more readable.

> ifconfig # openvpn gateway
> push "route" # add route to to protected network
> push "route" # add route to to protected network
> push "route"
> push "redirect-gateway"

Granted, I don't know that much about your network configuration, but this
could probably be simplified. Considered using the server directive?

> My script:

I'm a really, really big fan of Python -- but this just cries out to be a
single line of shell:

VPN_IP=$(echo $1 | sed -re 's_([0-9]{1,3})\.([0-9]{1,3})$_3.\2_')
echo "ifconfig-push ${VPN_IP}"

> port 5000

Call me a stickler, but I prefer using the IANA-assigned port, given the

> tls-client
> pull

The "client" directive does both of these, and is easier to read.

Finally, I don't notice any mechanism in use to validate that the server's
certificate really _is_ the server's certificate (see the whole
man-in-the-middle brouhaha here a while ago). You should seriously
consider using ns-cert-type (with an appropriately created server key), or
tls-verify, or something of the like.

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list