Hi there I've got a corner case I've picked up during testing that makes me wonder if there's a bug in openvpn
Our openvpn server "tests" incoming clients to ensure they comply with our openvpn client standards - killing their session if they don't (basically client-less NAC). One thing we're doing is allowing "duplicate-cn", but using our NAC test to reject clients using the same cert (get better logging of the offenders that way). Anyway, I have a Mac and Windows box set up to use the same cert to test this, and it causes an interesting situation... First client connects, second client connects, NAC script notices the same cert in use and kills the first connection. Second client later hangs up. If I then look at the first client hours later, it still thinks it's logged in! There is no error, it still has the tun interface up, but no traffic flows. The server shows no connection via either client (I use the management api to confirm that) We use "--ping", and tcpdump confirms the first client and server are still exchanging packets - but the server does not classify the client as being connected. But as the openvpn pings are still working, the client doesn't know it's actually disconnected. A simple "kill -HUP" on the client fixes everything as it forces a full restart So I have two questions: 1. The client uses "explicit-exit-notify" - but it looks like using the kill management command on the server does not tell the client it is hanging up? Wouldn't that be a good idea? 2. The fact that ping is still working makes me think that means ping must be *separate* from session management? Isn't that a bad idea? Hopefully I'm wrong and someone will tell me I'm doing it incorrectly :-) server is 2.3_git, and this is over UDP of course (I doubt this is an issue over TCP, although I haven't tested) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
