Hi,
On Sat, Jan 20, 2024 at 11:13:13PM +0100, Bo Berglund wrote:
> >There is one catch: OpenVPN blocks while --client-connect executes, so
> >if you do something that takes more than "few milliseconds", you need
> >to return 2 right away ("deferred operation") and progress the parts
> >that take longer in the background, writing the final result to
> >$auth_control_file (look for "deferred" in man openvpn).
>
> Well, looking up a name in a "forbiddenusers" file which just contains alist
> of
> the CN of blocked users should qualify for "quick".
This should normally be fine.
Things people do in --client-connect scripts include LDAP or DNS queries,
which can lead to problems if said servers are slow/down - so, you have
an outage in your network and the DNS server is down, and that breaks
VPN usage because on every new client connect, OpenVPN stops forwarding
for all clients until the DNS query expires...
So, avoid doing things in synchronous ways that rely on "external services".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
