[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] management interface questions

  • Subject: Re: [Openvpn-users] management interface questions
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Fri, 21 Jan 2005 01:05:55 -0700 (MST)

On Fri, 21 Jan 2005, Daniel Lehmann wrote:

> Hi,
> I have two questions concerning the management interface. In first, I
> think this is a great feature of openvpn.
> But I think that openvpn react strange, if you use management-hold. If
> you are using a tls secured connection and you are doing a hold release
> dependig if your key is secured by a passphrase you might be asked for
> it. If you enter the wrong key openvpn terminates. 
> I think this should be changed. You can't improve security by this, as
> anybody could use the openssl command to brute-force the passphrase.
> In second, a user without admin privileges can't restart openvpn and
> have to ask his admin or reboot the maschine.
> Maybe openvpn should return to the " Need hold release from management
> interface, waiting..." status or ask for the passphrase again.

I agree that allowing password retries might be useful, though since there
are lots of potential fatal errors on OpenVPN startup, any GUI which is
driving the management interface will already need to know how to deal
with fatal errors which require OpenVPN to be rerun.  Password failures 
are just one of many possible fatal errors.

The problem is that you will complexify the code if you try to recode all
the possible startup errors to be nonfatal. And if you start making some
of them nonfatal and some of them fatal, then it complexifies the
management clients (i.e. GUIs) because now they must differentiate between 
fatal errors which cause an exit and errors which would normally be fatal 
but which have now been recoded to jump back to the management-hold state.

> Furthermore I have a feature request. Imagine the situation, where there
> is a computer used by different (non-admin) persons and openvpn provides
> them a secure connection via certificates and keys. With the new GUIs,
> they all can use openvpn.
> In this scenario not the persons are authenticated against openvpn but
> the computer - as there is only one certificate/key used by all of them.
> Starting an individual connection for each user isn't that easy, as you
> maybe don't know which of the legitimate users might use this computer.
> In addition, each openvpn instance had to open it's own management
> interface at a different port. The GUI had to know which user needs
> which managment interface at which port.
> Maybe it is possible to enhance the management interface, that the
> pkcs12 file can be read from the management interface and not from disk.
> There could be a special option for this (management-readpkcs12) and if
> the binary data is a problem it could be base64 encoded or something
> like this.
> So the GUI could load the pkcs12 file and write it to the management
> interface. So there would be real multi-user support in the given
> scenario.
> How do you think about this?

It's an interesting idea, though I think it's a special case of a more 
general feature which would allow the management interface to dictate the 
entire configuration file + related files (certs, keys, etc.) over the 
management channel.  Maybe something to think about post 2.0.


Openvpn-users mailing list