Re: [Openvpn-devel] Intelligent OpenVPN service?

[Daniel Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks for the replies!  I should have specified that the servers are
Linux and the clients are Windows.  I have no experience with routing
protocols on Windows systems, but I've seen plenty of issues in our
Windows applications when someone changes their connection while
working.  I think we'll try blocking our internal IP ranges at the
servers first, it sounds like the easiest (and least complex)
solution at this time.

Great to see the ability to have both UDP and TCP connections in
a single config file now!

Daniel Johnson
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkzFhI4ACgkQ6vGcUBY+ge9U7wCfTISfn69MqJnd5VtHDoOAzJuH
S/UAoIrK5Ean0qUUHYGRZHewThhZDgGQ
=cbGJ
-END PGP SIGNATURE-

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Markus Feilner]

Am Montag, 18. Oktober 2010, um 20:19:53 schrieb Daniel Johnson:
> As a bonus, I'd like the service to fail over to TCP if it cannot
> establish a UDP connection.  However, multiple simultaneous VPN
> connections would very likely be bad so I can't just have the
> service try both.

Hi Daniel,
have a look at the connection profiles in Openvpn 2.1 - that should do that 
trick. You'll find a great description in the manpage.

For the "don't connect from inside"-issue i would use some ifup-magic 
(skripting) or - for windows clients - probably use the firewall approach 
mentioned in this thread.

-- 

Best Regards - Mit freundlichen Gruessen
Markus Feilner

-
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare, Workshops and Authoring
Koetztinger Strasse 6c  93057 Regensburg - Germany
Phone:  +49 941 8 10 79 89
Mobile: +49 170 3 02 70 92
Web: www.feilner-it.net mail: mfeil...@feilner-it.net
Xing: http://www.xing.com/profile/Markus_Feilner
Linkedin: http://de.linkedin.com/in/markusfeilner
Linux Magazine Germany: mfeil...@linuxnewmedia.de
--
My books at Packt: Open source - privacy and connectivity for everyone!
 New and revised:   http://www.packtpub.com/learning-openvpn-2-0-9/book
 Sold over 3000 times:  http://www.packtpub.com/openvpn/book
 My Groupware book: http://www.packtpub.com/scalix/book

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Karl O. Pinc]

On 10/18/2010 02:14:19 PM, Jason Haar wrote:
>  On 10/19/2010 07:43 AM, Davide Brini wrote:
> > Sorry for the silly question, but how do you expect the OpenVPN 
> link
> to be
> > established if the computer "does not already have a connection"?
> >
> > What do you mean with the above statement?
> I think he means: if the machine is on the corporate network, then
> don't
> kick off an openvpn connection to the corporate network
> 
> We did that here using firewall trickery. We block access to the
> openvpn
> server ports from the corporate network - that way openvpn can remain
> permanently running on all clients, and it will only work when 
> clients
> connect from non-corporate networks.
> 
> It's a kludge (hard to scale when you have dozens of corporate
> Internet
> address ranges) - what's really needed is a "--pre-connection" option
> -
> so that we can run scripts before the openvpn service even starts.
> Then
> the "pre" script could explicitly check if the corporate network is
> available (eg attempt to download a HTTPS page from an exclusively
> internal server) and error if it is - causing openvpn to not attempt
> to
> make a connection

How would that work if, say, the laptop leaves the building and
loses wireless to the corporate network?   In the setup you
describe all the connections die because the network goes
down. Seems to me it would
be better to always have a open vpn connection but don't
route to it when you're inside the firewall.  Some solution involving
a routing protocol would do this and then established connections 
would not break.

Routing protocols are supposed to deal with paths going up and down,
so why reinvent the wheel?




Karl 
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Jonathan K. Bullard]

You might want to look at the client GUI. For example, Tunnelblick (OS X GUI
which also includes imbedded tun/tap kexts, OpenVPN and OpenSSL binaries)
has just such a "pre-connnection" feature. People can call a script before
OpenVPN is started, and when OpenVPN finishes. It is used to do such things
as unload Cisico AnyVPN tun before running OpenVPN, and reloading it
afterward. Of course, it would be nice to have it be a part of OpenVPN.

On Mon, Oct 18, 2010 at 3:14 PM, Jason Haar wrote:

>  On 10/19/2010 07:43 AM, Davide Brini wrote:
> > Sorry for the silly question, but how do you expect the OpenVPN link to
> be
> > established if the computer "does not already have a connection"?
> >
> > What do you mean with the above statement?
> I think he means: if the machine is on the corporate network, then don't
> kick off an openvpn connection to the corporate network
>
> We did that here using firewall trickery. We block access to the openvpn
> server ports from the corporate network - that way openvpn can remain
> permanently running on all clients, and it will only work when clients
> connect from non-corporate networks.
>
> It's a kludge (hard to scale when you have dozens of corporate Internet
> address ranges) - what's really needed is a "--pre-connection" option -
> so that we can run scripts before the openvpn service even starts. Then
> the "pre" script could explicitly check if the corporate network is
> available (eg attempt to download a HTTPS page from an exclusively
> internal server) and error if it is - causing openvpn to not attempt to
> make a connection
>
> See "2.1 client - how to autorun script post-connect" for further
> comments about why I think a "pre" script option would be a good idea.
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> --
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Daniel Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/18/2010 01:43 PM, Davide Brini wrote:
> Sorry for the silly question, but how do you expect the OpenVPN
> link to be established if the computer "does not already have
> a connection"?
>
> What do you mean with the above statement?
>

Ah, I failed to finish the sentence.  Should read:

===
I want to set up company laptops and remote desktops to use OpenVPN
as a service, but it should *only* connect if the computer does not
already have a connection to our company (such as locally wired or
internal wireless).
===

In other words I don't want this to light up a VPN tunnel when it
is already inside our firewall.

Daniel Johnson
progman2...@usa.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAky8m9MACgkQ6vGcUBY+ge8hmwCfdkycczLNiFmYnWvWQCvOyO0V
sjYAn2R5Sn+fGOAxnW9hMMncTJng6YcH
=Oqjc
-END PGP SIGNATURE-

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Jason Haar]

 On 10/19/2010 07:43 AM, Davide Brini wrote:
> Sorry for the silly question, but how do you expect the OpenVPN link to be
> established if the computer "does not already have a connection"?
>
> What do you mean with the above statement?
I think he means: if the machine is on the corporate network, then don't
kick off an openvpn connection to the corporate network

We did that here using firewall trickery. We block access to the openvpn
server ports from the corporate network - that way openvpn can remain
permanently running on all clients, and it will only work when clients
connect from non-corporate networks.

It's a kludge (hard to scale when you have dozens of corporate Internet
address ranges) - what's really needed is a "--pre-connection" option -
so that we can run scripts before the openvpn service even starts. Then
the "pre" script could explicitly check if the corporate network is
available (eg attempt to download a HTTPS page from an exclusively
internal server) and error if it is - causing openvpn to not attempt to
make a connection

See "2.1 client - how to autorun script post-connect" for further
comments about why I think a "pre" script option would be a good idea.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Davide Brini]

On Mon, 18 Oct 2010 13:19:53 -0500 "Daniel Johnson" 
wrote:

> I want to set up company laptops and remote desktops to use OpenVPN
> as a service, but it should *only* connect if the computer does not
> already have a connection (such as locally wired or internal
> wireless).

Sorry for the silly question, but how do you expect the OpenVPN link to be
established if the computer "does not already have a connection"?

What do you mean with the above statement?

-- 
D.