[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: openvpn feature questions?

  • Subject: [Openvpn-users] Re: openvpn feature questions?
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Fri, 14 Jan 2005 02:52:50 -0600

On Fri, 14 Jan 2005 08:54:19 +0100, Klavs Klavsen wrote:

> 1) Can I get the openvpn connection registered as a "dial-up
> connection", so my users can select "log on using dial-up connection" as
> they can with a ipsec VPN connection? 

I don't believe so. However, that may not be too problematic...

> Thing is, I'd like to authenticate them, before they get access to the
> company net, but I'd also like the machine to not just log them in with
> cached credentials

Can they just use the GUI to start OpenVPN before accessing resources on
the VPN? See http://www.nilings.se/openvpn/.

What cached credentials are you referring to? OpenVPN doesn't use Kerberos
(or Microsoft's bastardized Active Directory version of the same), so
there's no question of the Kerberos ticket cache being used to

You can use the "inactive" directive to force the tunnel to close after a
period of inactivity.

> and then they can open the tunnel to get connected - as I'm not sure
> that will handle forced password changes, and it won't run my login
> scripts either :(

I'm not quite sure what you're referring to here. Are these login scripts
for the client or the server? Which password are you referring to? (System
password? auth-user-pass password? private-key-encryption password?)

> 2) I've found that you should be able to assign ip address-pools to
> users, based on their login-name/group-membership, but I have found no
> examples of how this is done.. Could you point me in the right
> direction?

Assign certificates to clients such that their CN is sufficient to
determine their login name or like information. In your client-connect
script on the server, place "ifconfig-push <desired-ip> <netmask>" in the
file specified as the first command line option to give clients the IP you
wish them to have.

Mind you, this assigns specific addresses, rather than selecting from
multiple pools. I don't believe that having multiple pools handled by a
single server instance is supported.

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list