Dave,
I actually ran across that plugin while searching, so it's awesome to meet
the creator!
Thank you for the explanation, that helps a lot to know the order of
execution. I have another question. I've seen a lot of people posting about
using the `client-config-dir`, and how you can define per user routes to
push in those files. Something like:
`push route "10.0.0.2 255.255.255.255 10.0.8.1"`
That method is easy to understand, and technically this would solve the
problem, but the issue is that those files are not dynamic. My question is:
does something like Eurephia, or another script that's called via
learn-address/client-connect/up, do the same thing? How does the a script
push those routes like the `client-config-dir` does?
On Mon, Apr 25, 2016 at 12:08 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 25/04/16 20:02, Scott Crooks wrote:
> > Greetings,
> >
> > Is there documentation available that lists, in detail, the process of
> when a
> > user connects to an OpenVPN server? I am wanting to have an OpenVPN
> server
> > that has the following requirements:
> >
> > - Authenticates users via LDAP (got this part figured out already)
> > - Pulls per user firewall rules from LDAP, and pushes them dynamically
> to each
> > user
> > - Does not route Internet traffic through the VPN
> >
> > I get confused as to whether I should be calling the per user firewall
> script
> > using `learn-address` or `up`, and when each is executed.
> >
>
> --up is called quite early, when the TUN interface is configured IIRC.
> This
> script-hook makes seldom sense on the server side. You might consider
> --client-connect instead on the server side.
>
> The order is something like this:
>
> --up
> --tls-verify
> --auth-user-pass-verify
> --client-connect
> --learn-address
>
> This is the order on the server side. Also beware that --learn-address
> may be
> called several times during a session.
>
> If you use UDP mode, it may take up to --ping-exit seconds before
> --learn-address with a 'delete' operation (and --client-disconnect) gets
> called. You can void this by adding --explicit-exit-notify in the client
> configs. For TCP mode, the TCP handshake will ensure the "down" scripts
> are
> run a lot quicker (and --explicit-exit-notify is not compatible with TCP
> mode).
>
> For you use-case, I'd say you should be able to do the LDAP authentication
> either via auth-pam or one of the auth-ldap plug-ins available on the net,
> or
> use --auth-user-pass-verify. The firewall operations can then be executed
> via
> --learn-address.
>
> You might also be interested having a look at my eurephia project [1],
> which
> does much of what you seem to want. The only thing it is missing
> officially
> is LDAP support. I have started looking into LDAP authentication, but
> pulling
> firewall configs from LDAP is not currently covered (but not impossible).
>
> [1] http://www.eurephia.net/
>
>
> --
> kind regards,
>
> David Sommerseth
>
--
Scott Crooks (王虎)
LinkedIn: http://www.linkedin.com/in/jshcrooks
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
