Re: [Openvpn-devel] Intelligent OpenVPN service?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for the replies! I should have specified that the servers are Linux and the clients are Windows. I have no experience with routing protocols on Windows systems, but I've seen plenty of issues in our Windows applications when someone changes their connection while working. I think we'll try blocking our internal IP ranges at the servers first, it sounds like the easiest (and least complex) solution at this time. Great to see the ability to have both UDP and TCP connections in a single config file now! Daniel Johnson -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkzFhI4ACgkQ6vGcUBY+ge9U7wCfTISfn69MqJnd5VtHDoOAzJuH S/UAoIrK5Ean0qUUHYGRZHewThhZDgGQ =cbGJ -END PGP SIGNATURE-
Re: [Openvpn-devel] Intelligent OpenVPN service?
Am Montag, 18. Oktober 2010, um 20:19:53 schrieb Daniel Johnson: > As a bonus, I'd like the service to fail over to TCP if it cannot > establish a UDP connection. However, multiple simultaneous VPN > connections would very likely be bad so I can't just have the > service try both. Hi Daniel, have a look at the connection profiles in Openvpn 2.1 - that should do that trick. You'll find a great description in the manpage. For the "don't connect from inside"-issue i would use some ifup-magic (skripting) or - for windows clients - probably use the firewall approach mentioned in this thread. -- Best Regards - Mit freundlichen Gruessen Markus Feilner - Feilner IT Linux & GIS Linux Solutions, Training, Seminare, Workshops and Authoring Koetztinger Strasse 6c 93057 Regensburg - Germany Phone: +49 941 8 10 79 89 Mobile: +49 170 3 02 70 92 Web: www.feilner-it.net mail: mfeil...@feilner-it.net Xing: http://www.xing.com/profile/Markus_Feilner Linkedin: http://de.linkedin.com/in/markusfeilner Linux Magazine Germany: mfeil...@linuxnewmedia.de -- My books at Packt: Open source - privacy and connectivity for everyone! New and revised: http://www.packtpub.com/learning-openvpn-2-0-9/book Sold over 3000 times: http://www.packtpub.com/openvpn/book My Groupware book: http://www.packtpub.com/scalix/book
Re: [Openvpn-devel] Intelligent OpenVPN service?
On 10/18/2010 02:14:19 PM, Jason Haar wrote: > On 10/19/2010 07:43 AM, Davide Brini wrote: > > Sorry for the silly question, but how do you expect the OpenVPN > link > to be > > established if the computer "does not already have a connection"? > > > > What do you mean with the above statement? > I think he means: if the machine is on the corporate network, then > don't > kick off an openvpn connection to the corporate network > > We did that here using firewall trickery. We block access to the > openvpn > server ports from the corporate network - that way openvpn can remain > permanently running on all clients, and it will only work when > clients > connect from non-corporate networks. > > It's a kludge (hard to scale when you have dozens of corporate > Internet > address ranges) - what's really needed is a "--pre-connection" option > - > so that we can run scripts before the openvpn service even starts. > Then > the "pre" script could explicitly check if the corporate network is > available (eg attempt to download a HTTPS page from an exclusively > internal server) and error if it is - causing openvpn to not attempt > to > make a connection How would that work if, say, the laptop leaves the building and loses wireless to the corporate network? In the setup you describe all the connections die because the network goes down. Seems to me it would be better to always have a open vpn connection but don't route to it when you're inside the firewall. Some solution involving a routing protocol would do this and then established connections would not break. Routing protocols are supposed to deal with paths going up and down, so why reinvent the wheel? Karl Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Re: [Openvpn-devel] Intelligent OpenVPN service?
You might want to look at the client GUI. For example, Tunnelblick (OS X GUI which also includes imbedded tun/tap kexts, OpenVPN and OpenSSL binaries) has just such a "pre-connnection" feature. People can call a script before OpenVPN is started, and when OpenVPN finishes. It is used to do such things as unload Cisico AnyVPN tun before running OpenVPN, and reloading it afterward. Of course, it would be nice to have it be a part of OpenVPN. On Mon, Oct 18, 2010 at 3:14 PM, Jason Haar wrote: > On 10/19/2010 07:43 AM, Davide Brini wrote: > > Sorry for the silly question, but how do you expect the OpenVPN link to > be > > established if the computer "does not already have a connection"? > > > > What do you mean with the above statement? > I think he means: if the machine is on the corporate network, then don't > kick off an openvpn connection to the corporate network > > We did that here using firewall trickery. We block access to the openvpn > server ports from the corporate network - that way openvpn can remain > permanently running on all clients, and it will only work when clients > connect from non-corporate networks. > > It's a kludge (hard to scale when you have dozens of corporate Internet > address ranges) - what's really needed is a "--pre-connection" option - > so that we can run scripts before the openvpn service even starts. Then > the "pre" script could explicitly check if the corporate network is > available (eg attempt to download a HTTPS page from an exclusively > internal server) and error if it is - causing openvpn to not attempt to > make a connection > > See "2.1 client - how to autorun script post-connect" for further > comments about why I think a "pre" script option would be a good idea. > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +64 3 9635 377 Fax: +64 3 9635 417 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > > > -- > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
Re: [Openvpn-devel] Intelligent OpenVPN service?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/18/2010 01:43 PM, Davide Brini wrote: > Sorry for the silly question, but how do you expect the OpenVPN > link to be established if the computer "does not already have > a connection"? > > What do you mean with the above statement? > Ah, I failed to finish the sentence. Should read: === I want to set up company laptops and remote desktops to use OpenVPN as a service, but it should *only* connect if the computer does not already have a connection to our company (such as locally wired or internal wireless). === In other words I don't want this to light up a VPN tunnel when it is already inside our firewall. Daniel Johnson progman2...@usa.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAky8m9MACgkQ6vGcUBY+ge8hmwCfdkycczLNiFmYnWvWQCvOyO0V sjYAn2R5Sn+fGOAxnW9hMMncTJng6YcH =Oqjc -END PGP SIGNATURE-
Re: [Openvpn-devel] Intelligent OpenVPN service?
On 10/19/2010 07:43 AM, Davide Brini wrote: > Sorry for the silly question, but how do you expect the OpenVPN link to be > established if the computer "does not already have a connection"? > > What do you mean with the above statement? I think he means: if the machine is on the corporate network, then don't kick off an openvpn connection to the corporate network We did that here using firewall trickery. We block access to the openvpn server ports from the corporate network - that way openvpn can remain permanently running on all clients, and it will only work when clients connect from non-corporate networks. It's a kludge (hard to scale when you have dozens of corporate Internet address ranges) - what's really needed is a "--pre-connection" option - so that we can run scripts before the openvpn service even starts. Then the "pre" script could explicitly check if the corporate network is available (eg attempt to download a HTTPS page from an exclusively internal server) and error if it is - causing openvpn to not attempt to make a connection See "2.1 client - how to autorun script post-connect" for further comments about why I think a "pre" script option would be a good idea. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Intelligent OpenVPN service?
On Mon, 18 Oct 2010 13:19:53 -0500 "Daniel Johnson" wrote: > I want to set up company laptops and remote desktops to use OpenVPN > as a service, but it should *only* connect if the computer does not > already have a connection (such as locally wired or internal > wireless). Sorry for the silly question, but how do you expect the OpenVPN link to be established if the computer "does not already have a connection"? What do you mean with the above statement? -- D.
[Openvpn-devel] Intelligent OpenVPN service?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I want to set up company laptops and remote desktops to use OpenVPN as a service, but it should *only* connect if the computer does not already have a connection (such as locally wired or internal wireless). Is this possible with the current service? If not, what can I/my company do to encourage development of this feature? As a bonus, I'd like the service to fail over to TCP if it cannot establish a UDP connection. However, multiple simultaneous VPN connections would very likely be bad so I can't just have the service try both. If it matters: The goal is to make the VPN totally hands-free, and to facilitate software deployments via Group Policy Objects (GPO, which I understand only happens at the logon prompt before the user logs in). In our current setup people use the OpenVPN GUI to pick "normal" (UDP) or "alternate" (TCP), each of which points to a pair of servers. Any and all help appreciated! Daniel Johnson progman2...@usa.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAky8j64ACgkQ6vGcUBY+ge9v6wCgj64iwXxIRvEjWkdA5B88FD06 2pIAoLBXDUIvsHsrLyQqEE9qZm9RmqNz =5fwH -END PGP SIGNATURE-