[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: Scripting and revocation lists

  • Subject: [Openvpn-users] Re: Scripting and revocation lists
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Tue, 22 Mar 2005 11:26:24 -0600

If your concern is pushing updates to your CRL, and making sure that those
updates are atomic (ie. multiple folks don't stomp on each others'
changes), you could try using something like GNU Arch. Arch stores
revision control history, optionally GPG-signed, in an append-only
repository, and can access said repository via FTP, sftp, WebDAV, etc. If
you script a "tla replay" (which pulls and applies updates) to happen
whenever you need to be sure you're up-to-date... well, there you go.

On my site, the CA server (a system which is set up to allow outgoing
connections only, and so which must be operated by actually walking up to
it) pushes updates out to a repository sitting on AFS, from where they're
pulled by our VPN server. Works quite nicely, and we have a history of
what's been done, who did it and when. (Pushing updates to the AFS server
requires a valid login and password).

That said, it's quite possibly overkill for your environment.

Openvpn-users mailing list