-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/09/13 17:36, Jérémy Hustache wrote: > Hello, > > > In my client-connect script, I need to connect to management > interface of openvpn (to check user tunnel status and kill it if > necessary). But I see that a client is already connected. I see in > manual that this management interface manages one client at same > time. Does it exist a patch to change it and to have a multiple > clients management interface ?
Just to complement Gert's answer. No, no such patch exists. It's a managment interface aimed at only one controlling instance. > If no, is there technical reasons that prevent to manage multiple > clients ? Is it achievable to patch it ? Nothing is impossible. But doing it will be quite hard. You need to bare in mind that OpenVPN is single threaded. The management interface code isn't that massive, but due to it participating in this single threaded model it raises the complexity quite a lot. I haven't loooked at those code paths in a very long time, but from what I remember it won't be easy. But there are other scenarios here as well. The idea of the management interface is that there is only one single "service" connected to it. One of the key benefit with this approach is actually to simplify the security part. The communication goes over a local unencrypted TCP connection or a Unix socket. And while blocking other connections, it means there's not so much need for a more advanced authentication scheme of the management clients. If the management service either starts OpenVPN (thus connects to it instantly) or is started very soon after OpenVPN has started, noone else can manipulate easily the running OpenVPN - unless this management service is killed off, freeing this single slot for the management interface. I would also strongly argue against connecting to the management interface from a client-connect script. Depending on your client-connect script and it's sanitising code, you might be able easily use that as an approach to manipulate other OpenVPN connections. As Gert said, you can control other connected OpenVPN clients through the same single management interface. If you are not careful about sanitising f.ex. the CN field, and you use the CN value in some of your management calls, it could be possible to abuse the interface together with use some buffer manipulations. Imagine if your CN contains "kill $IPADDRESS:$PORT" ... or "signal SIGTERM". Instead I would rather recommend using --status and your client-connect script can parse that statusfile to see if it is already connected or not. If you want to use a "network service" as your interface API. I'd extend your already running management service to have it's own socket your client-connect script can connect to, with restricted access to only do what that script needs to do. This way you avoid the client-connect script to get too much privileges. If your purpose is to avoid more clients connecting simultaneously with the same certificate CN, then you should probably remove - --duplicate-cn from your server config. But you also need to look at your --keepalive settings (or --ping and --ping-restart if you use that instead), to avoid clients who was kicked out to reconnect. This is something you anyway will need to look at, if you try to avoid more users connecting at the same time with the same certificate/CN. Okay ... enough speculations for now. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJBa0MACgkQDC186MBRfrpz+ACgj+nUwoWhEEwfL5x0aVk6v2fW P28AoIF6Rh0LmXOA5fa0QOYZiAm1BAOC =bBCp -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
