Hi,
I am implementing client-server openvpn with following additional
requirement:
Client-server should share a secret session-id provided by me while starting
client and server. I dont want to keep this session-id in a file on client
machine. Preferrable client will be started from an applet. This applet will
give the session-id to openvpn instance. This session-id will be sent in
each request from client to server. This session-id will be used to find out
whether this is legitimate client instance or not. It will also be used to
check the client'access policy for particular service. Its a kind of
firewall with specific permissions for each client for accessing servers.
For this I am planning to add a new structure in place of "struct buffer" :
new_struct_buffer {
my_ses_type my_ses; //may be int, supplied through command line
struct buffer buf; //existing struct buffer
length_type len; //length of new_struct_buffer
}
This structure will be written and read in tunnel socket in place of struct
buffer. my_ses will be read from the messages and used for verfying the
client. I want to add my_ses before anything in order to validate it first
and then process rest of the packet.
I have seen one more structure "struct options" which is incldued in
messages between client and server but I am not sure that its always there
in all data exchange.
There is also need to maintain valid session-ids on server-side for veryfing
client messages.
Please provide me feedback on this solution. In case anybody has already
implemented this feature, please share it.
I suggest openvpn should implement hooks just like apache server for
adding/modifying functionality. This will make openvpn easy to adapt.
Regards,
Satinder Singh
-----Original Message-----
From: Mathias Sundman [mailto:math...@nilings.se]
Sent: Wednesday, October 06, 2004 11:22 AM
To: satind...@in.safenet-inc.com
Cc: openvpn-devel@lists.sourceforge.net
Subject: RE: [Openvpn-devel] Same IP subnet on both sides (was: Pass log
and passphrase between OpenVPN...)
On Wed, 6 Oct 2004 satind...@in.safenet-inc.com wrote:
Hi Satinder,
Please don't "hijack" a thread like that. Start a new topic if your post
is un-related to the other current threads.
> Hi,
> Currently openvpn demands that in client-server scenario, private
> IPs should not clash with other machines. What if a client with IP
10.19.0.5
> sitting in an ISP network (e.g. internet cafe) is there and server tries
to
> assign 10.19.0.5 to this machine. Also there are other machines on
10.19.0.0
> network on ISP side which client wants to access. In this scenario client
> will not be able to access other 10.19.0.0. machines if openvpn is
started.
True. This is one of the problems with using private IP addresses
(RFC1918) that is becomming bigger and bigger while VPNs are becomming
more and more popular.
When setting up a VPN you MUST take into consideration that the IP subnets
you use on and behind the server must not be used as the local network by
any of the clients connecting to your server.
> Do we have any mechanism through which client can find out which 10.19.0.0
> IP is free and then can send request to server to assign this specific IP
to
> me? And also it can set the routing itself.
No.
> If this is not the right group to post this type of query then kindly
> suggest me the right one.
I think openvpn-users would have been more appropriate, if you are not
considering developing any new features...
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
