[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: Re: Re: Re: IP Allocation


  • Subject: Re: [Openvpn-users] Re: Re: Re: Re: IP Allocation
  • From: Helder Miguel Gaspar Rodrigues <crash@xxxxxxxx>
  • Date: Thu, 13 Jan 2005 05:38:06 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok now I have certs for all users, but i build the certs without
ns-cert-type in mind. And now? Any alternative conserning that my
clients are running windows xp.

My new configuration file, any comments?
fast-io
dev tap
log-append openvpn.log
tls-server
ca /etc/ssl/CA/cacert.pem
cert /etc/ssl/CA/wifivpn.frew.org.pem
key /etc/ssl/CA/wifivpn.frew.org.key.pem
crl-verify /etc/ssl/CA/crl/crl.pem
dh dh1024.pem
tls-auth ta.key 0
mode server
client-connect /etc/openvpn/ip.py
#duplicate-cn
ifconfig 192.168.3.1 255.255.255.0 # openvpn gateway
push "dhcp-option DNS 192.168.3.1" # push DNS entries to openvpn client
push "route-gateway 192.168.3.1" # push default gateway
keepalive 10 60
#mtu-test
#tun-mtu 1500
#tun-mtu-extra 32
#mssfix 1450
#ping 10
#ping-restart 120
#push "ping 10"
#push "ping-restart 60"
#push "route 192.168.1.0 255.255.255.0 192.168.3.1" # add route to to
protected network
push "route 192.168.0.0 255.255.255.0 192.168.3.1" # add route to to
protected network
push "route 192.168.3.0 255.255.255.0 192.168.3.1"
push "redirect-gateway"
comp-lzo
status openvpn-status.log
verb 4

thank you

Charles Duffy wrote:
| On Wed, 12 Jan 2005 20:38:20 +0000, Helder Miguel Gaspar Rodrigues wrote:
|
|
|>What you think about the configuration settings? its a wifi enviroment.
|
|
| Comments below.
|
|
|
|>duplicate-cn
|
|
| Evil. Bad security policy (can't just replace one client's certificate,
| need to replace all of them if any client is compromised), prevents you
| from using the CN as a key to do Useful Things in your scripting (like
| handing out IP addresses, adding DNS entries, etc), and makes it pretty
| darned easy for any client to pretend to be any other (since they don't
| have distinct keys, they only need to change their IP addresses).
|
| You should seriously rethink using this.
|
|
|>mtu-test
|>tun-mtu 1500
|>tun-mtu-extra 32
|>mssfix 1450
|
|
| Just curious -- did you really need to set these? I'm accustomed to
| current versions of OpenVPN doing The Right Thing quite out-of-the-box.
|
|
|>ping 10
|>ping-restart 120
|>push "ping 10"
|>push "ping-restart 60"
|
|
| I find that the keepalive directive helps keep things more readable.
|
|
|>ifconfig 192.168.3.1 255.255.255.0 # openvpn gateway
|>push "route 192.168.1.0 255.255.255.0 192.168.3.1" # add route to to
protected network
|>push "route 192.168.0.0 255.255.255.0 192.168.3.1" # add route to to
protected network
|>push "route 192.168.3.0 255.255.255.0 192.168.3.1"
|>push "redirect-gateway"
|
|
| Granted, I don't know that much about your network configuration, but this
| could probably be simplified. Considered using the server directive?
|
|
|>My script:
|
|
| I'm a really, really big fan of Python -- but this just cries out to be a
| single line of shell:
|
| #!/usr/bin/bash
| VPN_IP=$(echo $1 | sed -re 's_([0-9]{1,3})\.([0-9]{1,3})$_3.\2_')
| echo "ifconfig-push ${VPN_IP} 255.255.255.0"
|
|
|>port 5000
|
|
| Call me a stickler, but I prefer using the IANA-assigned port, given the
| chance.
|
|
|>tls-client
|>pull
|
|
| The "client" directive does both of these, and is easier to read.
|
|
| Finally, I don't notice any mechanism in use to validate that the server's
| certificate really _is_ the server's certificate (see the whole
| man-in-the-middle brouhaha here a while ago). You should seriously
| consider using ns-cert-type (with an appropriately created server key), or
| tls-verify, or something of the like.
|
|
|
| -------------------------------------------------------
| The SF.Net email is sponsored by: Beat the post-holiday blues
| Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
| It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
| _______________________________________________
| Openvpn-users mailing list
| Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
| https://lists.sourceforge.net/lists/listinfo/openvpn-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB5gk7XuDuuXe+pHkRAgjPAJ0SpN+lortYmXGpzqWpfoZxNTkRVACfd30A
dXknSdyT5s3C3nWUG68hs9Q=
=ga3C
-----END PGP SIGNATURE-----



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users