Menu
▾
▴
Re: [Openvpn-users] Re: client-connect script return value
|
From: Didier C. <di...@co...> - 2004-12-15 10:19:50
|
Charles Duffy wrote: > On Tue, 14 Dec 2004 15:14:00 -0700, James Yonan wrote: > > >>The client-connect script is a post-authentication step. >> >>If you want to do authentication, use tls-verify or auth-user-pass-verify. >> >>The learn-address script is the best place to deal with rules which are >>tied to particular client's usage of particular IP addresses or MAC >>addresses. > > > Granted. However, in a situation where a client is correctly authenticated > but an error is encountered in setting firewall rules appropriate to that > client, it'd be nice to have the VPN fail closed rather than leaving the > VPN/firewall combo in an uncertain state. I'm agree. Even if the firewall don't set up rules and don't give access to the client, the user is still thinking the tunnel is up and running. He don't have to know why his access is not granted, but the openvpn server admin have to! I like the way --learn-address works but it may be better to make him aware of the returned value ;-) Thx Didier |
