Re: [Openvpn-users] Mandatory IP address?
Hello I'm curious about this as well. Doesn't the openvpn server has a built in security mechanism to protect against unwanted ip change from CCD clients? Let's say the server is assigning me 192.168.77.22: Mon Jan 19 09:36:22 2015 /sbin/ip link set dev tun0 up mtu 1350 Mon Jan 19 09:36:22 2015 /sbin/ip addr add dev tun0 local 192.168.77.22 peer 192.168.77.21 Mon Jan 19 09:36:22 2015 /sbin/ip route add 0.0.0.0/1 via 192.168.77.21 Mon Jan 19 09:36:22 2015 /sbin/ip route add 128.0.0.0/1 via 192.168.77.21 Mon Jan 19 09:36:22 2015 /sbin/ip route add 192.168.77.0/24 via 192.168.77.21 When I try to redo the commands manually and set the ip to 192.168.77.2 to endpoint 192.168.77.1 everything works flawlessly, the routing table looks OK (like it would be with a config which assigns the .2 ip), but no packets go through the interface anymore. Sent: Sunday, January 11, 2015 at 6:44 AM From: Chris To: "Gert Doering" Cc: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] Mandatory IP address? Hi, On 01/10/2015 10:02 PM, Gert Doering wrote: > --client-config-dir + --ifconfig-push > > will let you assign a IP address of your choice to a given client > > (while technically the client is free to ignore that address and pick > anything, this is what the server will route to this client, so effectively, > it's forcing the address) that's what I was looking for. Thank you! - Chris -- Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users[https://lists.sourceforge.net/lists/listinfo/openvpn-users] -- New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Mandatory IP address?
Hi, On Mon, Jan 19, 2015 at 09:46:54AM +0100, Stephan Alz wrote: > I'm curious about this as well. Doesn't the openvpn server has a built in > security mechanism to > protect against unwanted ip change from CCD clients? Very much so - it will just ignore packets a client sends using different source IPs. > When I try to redo the commands manually and set the ip to 192.168.77.2 to > endpoint 192.168.77.1 > everything works flawlessly, the routing table looks OK (like it would be > with a config which assigns the .2 ip), The server can not stop a client from doing things on the client side (how should it?), but it will just plainly ignore your packets now... > but no packets go through the interface anymore. ...mission accomplished :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpV_s226Kt2O.pgp Description: PGP signature -- New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] CN maximum length
Hello OpenVPN community!
Line below was extract from my openvpn server log.
Jan 8 17:44:25 myserver openvpn[28644]: a.b.178.157:22853 VERIFY
ERROR: could not extract CN from X509 subject string (' ***user
certificate dn here*** ') -- note that the username length is limited
to 64 characters
Initially I thought such user certificate DN had more than 64
characters on CN field, actually CN has *exactly* 64 ASCII characters.
Looking at ssl_verify.c and ssl_verify_openssl.c, I found that
backend_x509_get_username returns FAILURE. In turn,
extract_x509_field_ssl returns FAILURE as well. At the end of
extract_x509_field_ssl, I found something suspicious. Look at the line
bellow:
const result_t ret = (strlen ((char *)buf) < size) ? SUCCESS: FAILURE;
Is the comparison between strlen ((char *)buf) and size correct?
Shouldn't be less equal?
I'll do some tests, e.g. changing TLS_USERNAME_LEN from 64 to 65.
PS: According to rfc5280, common name maximum length is 64.
Regards,
Jorge Peixoto
--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] CN maximum length
Hi Jorge, On 19-01-15 23:47, Jorge Luiz Silva Peixoto wrote: > Is the comparison between strlen ((char *)buf) and size correct? > Shouldn't be less equal? That check is correct, since strlen() excludes the NULL-character, and we rely on the string begin NULL-terminated. > I'll do some tests, e.g. changing TLS_USERNAME_LEN from 64 to 65. At first glance this seems to be the right fix, but keep in mind that you'll have to change the warning messages using the value too, to keep them displaying '64'. > PS: According to rfc5280, common name maximum length is 64. Yes, and that is where this errors stems from. The strings used by rfc5280 are not NULL-terminated, whereas C strings are. Please feel free to send your patch to openvpn-de...@lists.sourceforge.net if you decide to do a patch for this. (and please use git format-patch to create such a patch). -Steffan -- New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
