On 13/12/17 23:53, Selva Nair wrote:
On Wed, Dec 13, 2017 at 5:04 PM, David Sommerseth
<open...@sf.lists.topphemmelig.net> wrote:
On 13/12/17 09:55, Мастренко Иван wrote:
I have custon client connect script that werifying user against some database, 
pushes some option to client if connection is allowed, or deny connection with 
logic based on data in database.
If connection is DENIED, I want to send message to client. This message should 
specify deny reason.
The OpenVPN wire protocol actually supports it.  But AFAIR, it's not been made
available via plug-ins or script hooks.  The clue is that the server pushes
AUTH_FAILED back to the client on authentication failures.  The AUTH_FAILED
push can contain more details.  This technique is more commonly used when
enabling the so-called dynamic challenge authentication (challenge/response
approach).  Currently I believe this might only be available by using the
management interface.

However, by adding your own type of AUTH_FAILED reasons, the client needs to
be capable of catching them and present them to the user.  So your client
would need to tackle that in addition.

I see one response here talks about using the "echo" approach too.  But IIRC,
that won't work as the AUTH_FAILED happens before anything else is being pushed.

The way I understand it AUTH_FAILED is useful only to communicate
authentication "failure" not for sending general messages to the
client. The protocol uses it for triggering dynamic challenge for
two-factor auth and is currently supported only using
management-client-auth, not through plugins or scripts -- as David
mentioned.

Echo is a far better and more generic way of sending messages to an
authenticated client --- patches to support echo messages in the
Windows GUI is in the works.


For the sake of clarity: after reading David's and your mail , my conclusion is that it is currently *NOT* possible to send a message back to an unauthenticated client. Is this correct?

cheers,

JJK


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to