[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: auth-user-pass problem

  • Subject: Re: [Openvpn-users] Re: auth-user-pass problem
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 19 Jan 2005 12:21:44 -0700 (MST)

On Wed, 19 Jan 2005, Gonda Laszlo wrote:

> Mathias Sundman wrote:
> > Yes, I just learned this one :-) --auth-user-pass REQUIRES --pull on the
> > client side. The user/pass authentication uses the push/pull channel. You
> > don't have to push any options though.
> >
> > What OpenVPN version are you using on the client side? 2.0_rc8 (2.0_rc7
> > too, but with a bug!) reports this option error clearly.
> Client: OpenVPN GUI 1.0-beta26 (last stable release), not the 2.0_rc8 on
> Win2000.
> Is not a potential security hole ?
> I think, if the username/password authentication is fail, the connection must
> be drop by the server.

It's not a security hole because you shouldn't be able to actually forward 
any tunnel data over such a connection.

In this case the TLS connection must be established, because otherwise the
client would have no secure channel over which to transmit the
username/password.  Any actual tunnel packets will be filtered by the 
server until the client provides the correct username/password.

If a client doesn't have --pull in it's config, the client would show 
the TLS connection being established but would be blocked from sending or 
receiving tunnel data from the server.  The server will retain the client 
instance object until either the client provides a valid username/password 
or the client instance on the server times out due to --keepalive or 


Openvpn-users mailing list