[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] invalidate username/password setting via management interface

  • Subject: Re: [Openvpn-users] invalidate username/password setting via management interface
  • From: Wilhelm Meier <wilhelm.meier@xxxxxxxx>
  • Date: Mon, 14 Jan 2008 11:02:11 +0100

Am Sonntag, 13. Januar 2008 schrieb Alon Bar-Lev:
> On 1/13/08, Wilhelm Meier <wilhelm.meier@xxxxxxxx> wrote:
> > I want to tear down the vpn-connection from the client-side and
> > also invalidate the username/password on the client.  The openvpn
> > should then do a reconnect without valid username/password. If I
> > then call the management interface, it asks for the
> > username/password again.
> Have you tried forget-passwords command within the management
> interface?

"forget-passwords" can only be pushed from the server-side. 

But this is not what I need, because if the client needs to reconnect 
it would ask for a username/password again and waits until it will be 

To clearify the scenario:
I have a system which is used in a mobile fashion. The system uses 
distributed authentication via LDAP to a central LDAP-Server. If the 
server is not available (no network or no access to the LDAP-server 
through open internet to the companies network) the authentication is 
done via cached credentials (pam_ccreds).
I want the system to connect automatically to the company network via 
openvpn. So openvpn is started at boot time with user-auth and awaits 
the username/password via the management-interface. If a user logs 
into the machine, the username/password is send to the 
management-interface via a pam-module. If authenticated, the 
vpn-connection is established.
When the user logs off, the vpn-connection should be disconnected and 
the username/password should be invalidated and openvpn should await 
a new username/password pair. If the next user uses the system, the 
new username/password ist provided via the pam-module.

If there are other solutions to this senario comments are 
appreciated ;-) (pre-shared keys are not a solution, since user 
authentication is required, because the openvpn-server has to 
distinguish between user-groups - only some are allowed to make a vpn 

OpenVPN mailing lists