Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread chantra
Vineet, I think you could use Packet filtering plugin hook and use the [KILL] tag at the end of the pf file . See http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=openvpn-plugin.h;h=56b0a701574e6913b3a714e941cdc4899dbea8e1;hb=HEAD#l316 I have never used it

[Openvpn-devel] Using certificate chains (was: Re: Summary of the IRC meeting (9th Dec 2010))

2010-12-14 Thread Jan Just Keijser
Hi all, I hate to reply to my own posting but I managed to get certificate chains working. The trick is in setting up the stacked client certificate in the right order. Here's what I did: ca.crt --- server.crt +-- sub-ca.crt --- client.crt the server is configured with --ca ca.crt and

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Vineet Kumar
Thanks for your response. This seems to involve file I/O and iptables right? File I/O seems like a performance bottleneck, no? Vineet On Mon, Dec 13, 2010 at 4:35 PM, chantra wrote: > Vineet, > > I think you could use Packet filtering plugin hook and use the [KILL] tag > at the end of the pf fi

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/12/10 18:47, Vineet Kumar wrote: > Thanks for your response. This seems to involve file I/O and iptables > right? File I/O seems like a performance bottleneck, no? Maybe, if you're still using tapes and need to rewind the tape ;-) Seriously, no

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Vineet Kumar
>From code inspection it seems like I need to have one PF-file/client. So for 1000 clients connected this means 1000 files! That is the bottleneck I am talking about. Also, in my use-case the plugin (which spawns a separate thread) is the one who asynchronously wants to close a socket. The importan

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Peter Stuge
Vineet Kumar wrote: > Are there ways around that : making telnet accept multiple sessions? You could serialize your administrative requests somehow and only ever have one entity use the admin interface. //Peter

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Vineet Kumar
You mean closing the telnet session after every use so that whoever the next guy is gets served? The only problem with that is if my plugin happens to arrive as the second telnet client session (for killing purposes) after, say, an interactive telnet session who came in first. As long as that inter

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Peter Stuge
Vineet Kumar wrote: > You mean closing the telnet session after every use so that whoever > the next guy is gets served? No I mean creating an intermediary that will know about your use case and provide an interface that works. > say, an interactive telnet session Are they a requirement in your

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Vineet Kumar
Sorry pl. explain the "intermediary" part. Is that supposed to solve the single telnet server accepting multiple *concurrent* client sessions? The interactive session part: not a requirement but we have no way to disallow an interactive user from telnetting when we programmatically plan to use the

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Karl O. Pinc
On 12/14/2010 04:22:53 PM, Vineet Kumar wrote: > Sorry pl. explain the "intermediary" part. Is that supposed to solve > the single telnet server accepting multiple *concurrent* client > sessions? Yes. The multiple concurrent client sessions talk to a single telnet server via an intermediary. Th

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Vineet Kumar
Cool, thanks for the clarifications. Will investigate into it. Vineet On Tue, Dec 14, 2010 at 2:45 PM, Karl O. Pinc wrote: > On 12/14/2010 04:22:53 PM, Vineet Kumar wrote: >> Sorry pl. explain the "intermediary" part. Is that supposed to solve >> the single telnet server accepting multiple *concu

[Openvpn-devel] Getting src-IP/port from 'struct context'...

2010-12-14 Thread Vineet Kumar
Hi, Is there a straightforward way to print source IP address and port given a 'struct context' pointer? Vineet