Menu
▾
▴
Re: [Openvpn-users] Re: client-connect script return value
|
From: James Y. <ji...@yo...> - 2004-12-15 11:34:52
|
On Wed, 15 Dec 2004, Didier Conchaudron wrote: > Charles Duffy wrote: > > On Tue, 14 Dec 2004 15:14:00 -0700, James Yonan wrote: > > > > > >>The client-connect script is a post-authentication step. > >> > >>If you want to do authentication, use tls-verify or auth-user-pass-verify. > >> > >>The learn-address script is the best place to deal with rules which are > >>tied to particular client's usage of particular IP addresses or MAC > >>addresses. > > > > > > Granted. However, in a situation where a client is correctly authenticated > > but an error is encountered in setting firewall rules appropriate to that > > client, it'd be nice to have the VPN fail closed rather than leaving the > > VPN/firewall combo in an uncertain state. > > I'm agree. Even if the firewall don't set up rules and don't give access > to the client, the user is still thinking the tunnel is up and running. > > He don't have to know why his access is not granted, but the openvpn > server admin have to! > > I like the way --learn-address works but it may be better to make him > aware of the returned value ;-) I am going to fix this for rc5. The client-connect script/plugin will be able to veto client authentication by returning a failure code and the learn-address script/plugin will be able to prevent an client-instance/address association from being learned by returning a failure code. James |
