Re: Per Client Devices?

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Per Client Devices?

On 03/01/12 16:12, Phillip Smith wrote:
>
> I am authenticating to Active Directory and using the Static IP
> Assignment from there (using a client-connect perl script + ldap)
> which kind of helps, but AFAIK there's nothing to stop a user just
> changing their tunnel IP to something else (mine for example) and
> gaining access to everything...?
>
Great idea - but did you try it to see what happens? I just did -
changed my tunnel IP to another valid one that wasn't in use - and
totally lost use of my tunnel. I think openvpn uses the assigned IP
address in rather an intimate way and that naturally blocks what you are
suggesting. However that's just a guess - all I know is my tunnel is
dead 

--

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

Re: Per Client Devices?

On 03/01/12 04:12, Phillip Smith wrote:
> 
> On 30 December 2011 21:15, Davide Brini <dave_br <at> gmx.com 
> <mailto:dave_br <at> gmx.com>> wrote:
> 
> 
> If that helps, one thing you can do is to always give the same IP to 
> the same user (based on the certificate's common name), by using 
> per-client specific configuration.  For example:
> 
> 
> I am authenticating to Active Directory and using the Static IP 
> Assignment from there (using a client-connect perl script + ldap) 
> which kind of helps, but AFAIK there's nothing to stop a user just 
> changing their tunnel IP to something else (mine for example) and 
> gaining access to everything...?
> 
> If the user were bridged to a different interface on the server then 
> they would have no control over that.

This restriction or access control you are looking for there is normally
provided by firewalls and not directly by OpenVPN itself.

However, OpenVPN does have some server controlled packet filtering.  I've
never tried it, but it is only available via the --plugin API and
somewhat via the --management-client-pf (which can push packet filtering
rules to clients).

The documentation for these features are not too be found in the most
obvious places for users.  But have a look here for more info:

openvpn-plugin.h:
<http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn.git;a=blob;f=openvpn-plugin.h;h=474c9102b61a513e8a3471f52b887aaf66d84818;hb=1d5c4433cdb7ab0a9d9f7496e6dc2cee189d375f#l422>

management/management-notes.txt:
<http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn.git;a=blob;f=management/management-notes.txt;h=785eb88188edae7f22a8f9ff63648cffa1275dbc;hb=1d5c4433cdb7ab0a9d9f7496e6dc2cee189d375f#l578>

Another approach I've developed for servers with iptables (Linux, in
other words) is eurephia.  With eurephia it is possible to enable
iptables support, which will update the iptables rules on-the-fly with
specific rules for each certificate/username/password combo.  However, it
has its own authentication model and currently cannot authenticate via
LDAP (it's on the TODO list) ... <http://www.eurephia.net/>

kind regards,

David Sommerseth

auto disconnect users (from radius)

Hi,

I want to auto-disconnect users if their expiration reached. Currently
users disconnect only when client disconnect itself even thier expiry
become true. Does openvpn support this feature? if so then how? 

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

Re: auto disconnect users (from radius)

I have tried both Session-Timeout and Acct-Session-Timeout but no avail.

On 1/3/2012 5:55 PM, Azfar Hashmi wrote:
> Hi,
>
> I want to auto-disconnect users if their expiration reached. Currently
> users disconnect only when client disconnect itself even thier expiry
> become true. Does openvpn support this feature? if so then how? 
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create 
> new or port existing apps to sell to consumers worldwide. Explore the 
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

Prebuilt TAP driver for 2.2.2?

OpenVPN 2.2.2, Windows XP 32-bit.

openvpn.net/prebuilt has only the 2.1_rc22 prebuilt drivers, which do not
work with OpenVPN 2.2.2 ("this version requires a tap driver that is at 
least version 9.9"). Is there a 2.2.2 prebuilt driver kit available 
anywhere?

-s

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

Re: Prebuilt TAP driver for 2.2.2?

> OpenVPN 2.2.2, Windows XP 32-bit.
>
> openvpn.net/prebuilt has only the 2.1_rc22 prebuilt drivers, which do not
> work with OpenVPN 2.2.2 ("this version requires a tap driver that is at 
> least version 9.9"). Is there a 2.2.2 prebuilt driver kit available 
> anywhere?
>
> -s
>
Ah, openvpn.net/prebuilt... there's nothing recent there. Where did you
find the link to that place?

Anyways, these links should answer your question:

<https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers>
<https://community.openvpn.net/openvpn/wiki/BuildingOnWindows#UsingsignedTAP-driversfromanOpenVPNinstaller>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

Re: Prebuilt TAP driver for 2.2.2?

On Thu, 5 Jan 2012, Samuli Seppänen wrote:

> Ah, openvpn.net/prebuilt... there's nothing recent there. Where did you
> find the link to that place?

I googled for "openvpn prebuilt"; it was the first link that showed up.

> Anyways, these links should answer your question:
>
> <https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers>
> <https://community.openvpn.net/openvpn/wiki/BuildingOnWindows#UsingsignedTAP-driversfromanOpenVPNinstaller>

Excellent; thank you. Interestingly, these didn't show up from my googling 


Steve

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Prebuilt TAP driver for 2.2.2?

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Prebuilt TAP driver for 2.2.2?

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users