On 06/09/2022 15:42, Bo Berglund wrote:
On Tue, 6 Sep 2022 15:23:29 +0200, David Sommerseth
<open...@sf.lists.topphemmelig.net> wrote:
On 06/09/2022 10:14, Bo Berglund wrote:
2. Find a way to push the blocking of persist-tun via a ccd command for this
client only. But it might not be possible if the persisted tun is in
operation already when the client reaches the server?
Unfortunately, this is not possible to push. This is only possible to
set in the local configuration file. Long story short: It's related to
when this option is parsed; which is before it starts to connect to the
remote server.
Figured as much!
It stands to reason that a client function executed *before* there is an actual
connection to the server cannot be changed by a push with a different argument.
Thanks for the clarification!
So I have to tell the person at the remote location to bring the router back
when he travels to Sweden next so I can modify the config file.
When doing that, I'd recommend you to ensure you can SSH into this
router without needing the VPN. Use SSH keys and possibly restrict the
IP ranges to networks you know you can connect from (typically ISP
subnets and such like).
Having a backdoor like this is not necessarily too insecure, especially
not when the IP range is restricted and the authentication is sane and
solid (SSH keys; not passwords). And it can save you a lot of troubles
later on.
You mentioned this was an ASUS RT-51UC ... I see that the ASUS RT-51U
model is supported by OpenWRT[0], but I don't know what the difference
between the UC and U models might be. If you're not running OpenWRT, I
would recommend you to take that approach. OpenVPN is available here as
well as a functional SSH server and iptables.
[0] <https://openwrt.org/toh/asus/rt-ac51u>
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
