[Openvpn-devel] client-server customized session-id
Hi,
I am implementing client-server openvpn with following additional
requirement:
Client-server should share a secret session-id provided by me while starting
client and server. I dont want to keep this session-id in a file on client
machine. Preferrable client will be started from an applet. This applet will
give the session-id to openvpn instance. This session-id will be sent in
each request from client to server. This session-id will be used to find out
whether this is legitimate client instance or not. It will also be used to
check the client'access policy for particular service. Its a kind of
firewall with specific permissions for each client for accessing servers.
For this I am planning to add a new structure in place of "struct buffer" :
new_struct_buffer {
my_ses_type my_ses; //may be int, supplied through command line
struct buffer buf; //existing struct buffer
length_type len;//length of new_struct_buffer
}
This structure will be written and read in tunnel socket in place of struct
buffer. my_ses will be read from the messages and used for verfying the
client. I want to add my_ses before anything in order to validate it first
and then process rest of the packet.
I have seen one more structure "struct options" which is incldued in
messages between client and server but I am not sure that its always there
in all data exchange.
There is also need to maintain valid session-ids on server-side for veryfing
client messages.
Please provide me feedback on this solution. In case anybody has already
implemented this feature, please share it.
I suggest openvpn should implement hooks just like apache server for
adding/modifying functionality. This will make openvpn easy to adapt.
Regards,
Satinder Singh
-Original Message-
From: Mathias Sundman [mailto:math...@nilings.se]
Sent: Wednesday, October 06, 2004 11:22 AM
To: satind...@in.safenet-inc.com
Cc: openvpn-devel@lists.sourceforge.net
Subject: RE: [Openvpn-devel] Same IP subnet on both sides (was: Pass log
and passphrase between OpenVPN...)
On Wed, 6 Oct 2004 satind...@in.safenet-inc.com wrote:
Hi Satinder,
Please don't "hijack" a thread like that. Start a new topic if your post
is un-related to the other current threads.
> Hi,
> Currently openvpn demands that in client-server scenario, private
> IPs should not clash with other machines. What if a client with IP
10.19.0.5
> sitting in an ISP network (e.g. internet cafe) is there and server tries
to
> assign 10.19.0.5 to this machine. Also there are other machines on
10.19.0.0
> network on ISP side which client wants to access. In this scenario client
> will not be able to access other 10.19.0.0. machines if openvpn is
started.
True. This is one of the problems with using private IP addresses
(RFC1918) that is becomming bigger and bigger while VPNs are becomming
more and more popular.
When setting up a VPN you MUST take into consideration that the IP subnets
you use on and behind the server must not be used as the local network by
any of the clients connecting to your server.
> Do we have any mechanism through which client can find out which 10.19.0.0
> IP is free and then can send request to server to assign this specific IP
to
> me? And also it can set the routing itself.
No.
> If this is not the right group to post this type of query then kindly
> suggest me the right one.
I think openvpn-users would have been more appropriate, if you are not
considering developing any new features...
--
_
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows XNO HTML/RTF in e-mail
http://www.nilings.se/openvpn/ \ NO Word docs in e-mail
Re: [Openvpn-devel] client-server customized session-id
On Wed, 6 Oct 2004 satind...@in.safenet-inc.com wrote: > Hi, > I am implementing client-server openvpn with following additional > requirement: > Client-server should share a secret session-id provided by me while starting > client and server. I dont want to keep this session-id in a file on client > machine. Preferrable client will be started from an applet. This applet will > give the session-id to openvpn instance. This session-id will be sent in > each request from client to server. This session-id will be used to find out > whether this is legitimate client instance or not. It will also be used to > check the client'access policy for particular service. Its a kind of > firewall with specific permissions for each client for accessing servers. OpenVPN already has a session ID. See session_id.c. As far as checking access policies, there are already several ways of doing this. In particular, see --client-connect and --learn-address. James
RE: [Openvpn-devel] client-server customized session-id
This session id is not in my control. I want to have some secret (my own session-id, passed as command line parameter) thats there in each data message through which I can identify the client. -Original Message- From: James Yonan [mailto:j...@yonan.net] Sent: Wednesday, October 06, 2004 3:00 PM To: satind...@in.safenet-inc.com Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] client-server customized session-id On Wed, 6 Oct 2004 satind...@in.safenet-inc.com wrote: > Hi, > I am implementing client-server openvpn with following additional > requirement: > Client-server should share a secret session-id provided by me while starting > client and server. I dont want to keep this session-id in a file on client > machine. Preferrable client will be started from an applet. This applet will > give the session-id to openvpn instance. This session-id will be sent in > each request from client to server. This session-id will be used to find out > whether this is legitimate client instance or not. It will also be used to > check the client'access policy for particular service. Its a kind of > firewall with specific permissions for each client for accessing servers. OpenVPN already has a session ID. See session_id.c. As far as checking access policies, there are already several ways of doing this. In particular, see --client-connect and --learn-address. James
[Openvpn-devel] Suggestion: OpenVPN should provide hooks
OpenVPN should provide hooks just like apache server. This will facilitate customization of openvpn features. One of the hooks could be post_tunnel_read_request which will be called when openvpn reads message from remote peer. One can add his own treament to message through this request. This will greatly improve openvpn's adaptability. We can have same implementation as in apache (through modules, function registration) or we can have blank callbacks which developer can fill-in to acheieve feature enhancments. Developer should be able to write his module having implementation of various hooks and then just compile it with openvpn. Regards, Satinder Singh
Re: [Openvpn-devel] [Patch] Allow multiple TAP devices without --dev-node on Windows
On Tue, 5 Oct 2004, Mathias Sundman wrote: I was going to ask for a feature yesterday, but though I'd write it myself instead of just asking for others todo things for me :-) I have about 15 OpenVPN configs on my Windows machine, but I only use 2-3 simulatainously. But, as I need be able to connect to more than one site, I've had to create one TAP device for EVERY config file, as I had to specify the the dev-node in every config if I had installed more than one TAP device. With the attached patch this behavior is modified so that if dev-node is not specified, OpenVPN tries to open the first TAP device is finds. If CreateFile() fails on this device, it moves on and tries to open next device. If all CreateFile() fails on all avaiable TAP devices, first then openvpn terminates. This works great as long as all TAP configuration is done dynamically from OpenVPN which is always the case for me. If you have static configuration done on the TAP devices, you need to use dev-node to specify which device to use anyway, so I don't think this patch should brake anything. Now that Eric Tanner has showed us how we can install the TAP device as hidden this patch became even more useful, as it's a little troublesome to change the TAP device name, when it's not visible in "Network Connections" :-) James, could you consider applying this patch for the beta12 release? If there's something with the patch you dislike or would like to have implemented in a diffrent way, let me know, and I'll try fixing it... -- _ Mathias Sundman (^) ASCII Ribbon Campaign NILINGS ABXNO HTML/RTF in e-mail Tel: +46-(0)8-666 32 28 / \ NO Word docs in e-mail
