|
|
On Sun, 12 Sep 2004, Raymond wrote: > Intend to implement client-connect and client-disconnect parms in conjunction > with nsupdate on the Linux server side to dynamically add and delete WinXP/2K > client DNS resource records. Will also include reverse zone entries. > Consider this a much more elegant, effective and secure solution than to > allow the Windoze clients to thrash the Bind zone(s) and orphan RRs until the > next logon. Only issue is utilization of common_name as host in lieu of > machine name. The common name is used because it is an authenticatable quantity. The machine name could be forged. > However, this process will entail a client-config-dir/X509 common-name script > for EVERY client. Is it possible in the next build to incorporate a common or > default script that would would run while still utilizing the common_name, > ifconfig_pool_local and ifconfig_pool_remote environment variables? I > recommend the script search and processing order to be any common script > first with any matching common_name scripts either appended or executed after > completion of the common script. Additionally, consideration could be given > to a hosts.allow / host.deny paradigm in the client-config-dir. Why not do this all in a client-connect script? There are a few other subtle points here that should be documented: Using the client-connect script and ifconfig-pool together ---------------------------------------------------------- If the client-connect script generates a dynamic config file which includes an ifconfig-push directive, OpenVPN assumes that you have your own address allocation scheme implemented in the script, and it releases the ifconfig_pool_local and ifconfig_pool_remote pool addresses which it tentatively allocated before the script was run. If the client-connect script doesn't generate a dynamic config file, or if it generates a dynamic config file which is missing an ifconfig-push directive, then OpenVPN will use the pool address allocation (assuming that the server config file defines ifconfig-pool or server). Note that ifconfig_pool_local and ifconfig_pool_remote are set before the client-connect script is run, to give the script an opportunity to decide whether or not to use them. If the script doesn't want to use them, then it should write an ifconfig-push directive to its dynamic config file. Otherwise OpenVPN will use the pool addresses. Using the client-connect script and client-config-dir together -------------------------------------------------------------- If the client-connect script actually generates a dynamic config file, OpenVPN will use it and will not scan the client-config-dir for a suitable config file. If the client-connect script doesn't generate a dynamic config file, OpenVPN will then scan the client-config-dir for a config file named after the common name of the connecting client's certificate. > Lastly, on th Win32 client side, can ifconfig_pool_remote be included or > passed to the client as an environmental variable? On the client, use ifconfig_local and ifconfig_remote. One the client, ifconfig_local corresponds to ifconfig_pool_remote on the server. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |