Re: OpenVPN 2.0 -- Project Update and Release Notes

James,

this is amazing! )) I was happy to get the forking server working
with multiple clients in 1.6. But 2.0 sounds like a gem! Will give it a try ASAP.
Great work!

Stephan

--

-- 
Stephan Scholz <sscholz <at> astaro.com> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Awards for ASL:
- Nätverk & Kommunikation Magazine, Sweden: "Five Stars" - October 2003
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003
- LinuxWorld Product Excellence Award: Best Security Solution - August 2003
- "Excellent" Infoworld Magazine - August 2003

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

OpenVPN 2.0 feature request - fixed-address

Hi

ifconfig-pool is fine, but I would need an option for IP
reservation for users.
The reservation could be realized on thebase of x509name

for example:

fixed-address 10.8.0.46 /C=PL/ST=NA/O=Dot.net/CN=Maciej.Nowak/emailAddress=m.nowak <at> firma.com
fixed-address 10.8.0.50 /C=PL/ST=NA/O=Dot.net/CN=Zenon.Ptak/emailAddress=z.ptak <at> firma.com

which would guarantee that user X always gets address Y
as option fixed-address in dhcpd

The possibility of IP reservation will simplify firewall configuration -
espesially if it is installed on other machine than openvpn server.

--

-- 
Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org]
[IRC:areq ICQ:16231667  GG:1383]  [AP3-6BONE] [AP14126-RIPE]

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Re: OpenVPN 2.0 feature request - fixed-address

Arkadiusz Patyk <areq <at> areq.eu.org> said:

> Hi
> 
> ifconfig-pool is fine, but I would need an option for IP
> reservation for users.
> The reservation could be realized on thebase of x509name
> 
> for example:
> 
> fixed-address 10.8.0.46
/C=PL/ST=NA/O=Dot.net/CN=Maciej.Nowak/emailAddress=m.nowak <at> firma.com
> fixed-address 10.8.0.50
/C=PL/ST=NA/O=Dot.net/CN=Zenon.Ptak/emailAddress=z.ptak <at> firma.com
> 
> which would guarantee that user X always gets address Y
> as option fixed-address in dhcpd
> 
> The possibility of IP reservation will simplify firewall configuration -
> espesially if it is installed on other machine than openvpn server.

Yes, I agree that this feature is necessary.  But I'm concerned that making
options that take an x509 name as a parameter (as you propose with
'fixed-address' above) might not be general enough.  I think that people are
going to want the ability to arbitrarily customize the options which are
pushed back to the client based on the client's x509 name.

What if it were done by scripting?

A script would be called with the x509 name, and the script could then

Re: OpenVPN 2.0 feature request - fixed-address

On Thu, 1 Apr 2004 16:19:52 -0000, you wrote:

>Arkadiusz Patyk <areq <at> areq.eu.org> said:
>> ifconfig-pool is fine, but I would need an option for IP
>> reservation for users.
>> The reservation could be realized on thebase of x509name
>> for example:
>> fixed-address 10.8.0.46
>/C=PL/ST=NA/O=Dot.net/CN=Maciej.Nowak/emailAddress=m.nowak <at> firma.com
>> fixed-address 10.8.0.50
>/C=PL/ST=NA/O=Dot.net/CN=Zenon.Ptak/emailAddress=z.ptak <at> firma.com
>> 
>> which would guarantee that user X always gets address Y
>> as option fixed-address in dhcpd
>> 
>> The possibility of IP reservation will simplify firewall configuration -
>> espesially if it is installed on other machine than openvpn server.
>
>Yes, I agree that this feature is necessary.  But I'm concerned that making
>options that take an x509 name as a parameter (as you propose with
>'fixed-address' above) might not be general enough.  I think that people are
>going to want the ability to arbitrarily customize the options which are
>pushed back to the client based on the client's x509 name.
>
>What if it were done by scripting?

Nice, it's OK for me. 

>A script would be called with the x509 name, and the script could then
>generate options which would either be executed locally or pushed to the client.

multiple connections on one tap

Hi.

How much functionality there needs to be implemented in order to get 
multiple connections with one tap-adapter working? And then, should that 
be implemented either by implementing ethernet-switch or maybe even with 
bridging-code? Normally when talking about bridges there is limit of 256 
interfaces per bridge and I can see that as an issue.

Then again, another issue with windows version of openvpn and mostly 
it's way of resolving whether it's run as service. It would be more than 
nice to be able to call like os.popen("openvpn ....") on windows too but 
called that way it cannot get those consolethingies and doesn't like it. 
So anyone got this same problem? I think that identifying could be done 
by other means.

And sorry for my bad engrish ;)

yours.
Miika Keskinen

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Re: multiple connections on one tap

Miika Keskinen <weeti <at> xther.net> said:

> Hi.
> 
> How much functionality there needs to be implemented in order to get 
> multiple connections with one tap-adapter working? And then, should that 
> be implemented either by implementing ethernet-switch or maybe even with 
> bridging-code? Normally when talking about bridges there is limit of 256 
> interfaces per bridge and I can see that as an issue.

OpenVPN would need to be a switch.  That means scanning ARPs, learning MAC
addresses, propagating broadcasts, etc.

> Then again, another issue with windows version of openvpn and mostly 
> it's way of resolving whether it's run as service. It would be more than 
> nice to be able to call like os.popen("openvpn ....") on windows too but 
> called that way it cannot get those consolethingies and doesn't like it. 
> So anyone got this same problem? I think that identifying could be done 
> by other means.

OpenVPN doesn't need to be run from a console window (otherwise running as a
service wouldn't work).  OpenVPN tries to open the console, but if it doesn't
exist, it is nonfatal -- OpenVPN will continue to run.  It does, however, want
the standard file handles (especially stdout) to point to something so it can
generate logging output.

James

> And sorry for my bad engrish ;)
> 

OpenVPN running in a PDA device

RE:Building GUI

I occured the same problem when start openvpn in GUI mode!!But I have 
resolve it!!!I found that it occur a error when I use method  of  
serveice-win32 to start vpn !At last I force to set 3 for hStdInput , it 
run well!
like this!!

start_info.hStdInput = (HANDLE)0x3 ; //GetStdHandle(STD_INPUT_HANDLE);

And I don't know why this is??

_________________________________________________________________
与联机的朋友进行交流，请使用 MSN Messenger:  http://messenger.msn.com/cn  

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

key management ?

Hi,

Openvpn is moving nicely in feature for large scale
deployment.

I am wondering if there is already plan to make the
key management more suitable for this kind of
deployment.

AFAIK, currently the cert can only be signed by one
root CA. However, this is usually not how these public
key based authentication is used in corporations(based
on my experienced with Lotus Notes). Usually, the root
CA of an organisation is well guarded and is only used
to sign intermediate CAs(can be multiple level) which
are then delegated for actual end node cert signing.
This has the advantage that if certain CAs are
compromised, they can be moved to CRL making any
future cert signed by then being rejected. This is
also useful for inter-organisational situation when
such confidential communication is necessary. 

Another nice to have feature is to associate(or limit)
the remote IPs based on certificates. 

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Re: key management ?

gary ng <garyng2000 <at> yahoo.com> said:

> Hi,
> 
> Openvpn is moving nicely in feature for large scale
> deployment.
> 
> I am wondering if there is already plan to make the
> key management more suitable for this kind of
> deployment.
> 
> AFAIK, currently the cert can only be signed by one
> root CA. However, this is usually not how these public
> key based authentication is used in corporations(based
> on my experienced with Lotus Notes). Usually, the root
> CA of an organisation is well guarded and is only used
> to sign intermediate CAs(can be multiple level) which
> are then delegated for actual end node cert signing.
> This has the advantage that if certain CAs are
> compromised, they can be moved to CRL making any
> future cert signed by then being rejected. This is
> also useful for inter-organisational situation when
> such confidential communication is necessary. 

OpenVPN currently supports intermediate CAs (one or multiple levels).

> Another nice to have feature is to associate(or limit)
> the remote IPs based on certificates. 

This is possible using the --tls-verify script which can examine the IP
address and x509 name of an incoming cert and decide whether or not to accept it.

Some people even use this capability to do an nmap on the IP address to make
sure the client hasn't been compromised, before allowing the connection.

James

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click