Hi,
I am interested to know what is the update/status one above.
I see email thread as:
Hi Sampo,
> I have been busy writing a forking server
> addon to openvpn.
Cool... Does each potential connecting client
need a separate config file,
or does the server use a common client
template and then keep track of
things like dynamic ports, dynamic endpoint
addresses, etc?
> In openvpn.c I have separated the
processing of
> parameters from main() to a new function and
> moved main to another file to allow me to
> link against different main() functions.
>
> One that implements normal peer2peer vpn
> and two others that produces forkin' server
> and client.
>
> These use a simple UDP protocol to agree a
> port to use, after which server forks do
> some handshaking with client and then
> calls openvpn() funcition from openvpn.c
Are you sure there needs to be a new protocol
to do this?
Suppose the master server listens on a
particular port, reads the initial
datagram from a connecting client, verifies
the integrity of the datagram
using a --tls-auth variant, allocates a
dynamic port, forks a new server
process, and continues in its event loop.
When the forked process finishes up the TLS
authentication, it can take the
Common Name from the client certificate and
use it to determine the
appropriate config profile to use (containing
ifconfig addresses, route
statements, etc.)
Or the handshaking could be done by passing a
configuration string in the
TLS payload, similar to the string now built
by options_string().
> This way I have been able to keep
> those well tested procedures and protocol
> of openvpn untouched.
>
> I still have some questions unsolved like
> DoS protection, dropping root priviledges
> and how to handel SIGUSR1 and SIGHUP.
Maybe keep track of all children, so when the
master process gets a signal,
it dispatches it to each child process, then
to itself.
> I hope I can overcome these and mail
> you a patch.
>
>
>
>
> Sampo
>
>
>
> > Hi Michael,
> >
> > Right now OpenVPN doesn't support a
forking-server model on a single
port,
> > it's strictly peer-to-peer with an
OpenVPN process instantiated at both
ends
> > of the connection, and each connection on
a unique port.
> >
> > There has been some recent discussions
about a forking-server
implementation
> > on this list -- see the "add a server
feature to openvpn to share udp
> > ports?" thread in the openvpn-devel
archives.
> >
> > I think the simplest way to do this would
be something like:
> >
> > (1) Add a --forking-server flag that
causes the main OpenVPN event loop
to
> > fork a new process for each initial
datagram received from a client.
> > (2) The newly forked server process
switches to a dynamic port before
> > responding back to the connecting client.
This is quite a bit simpler
and
> > more efficient than trying to run all
clients over the same UDP port.
> > (3) OpenVPN already has code (see the
implementation of --float) that
will
> > adapt to the new port number returned by
the response to initial
datagram
> > sent from server to client. I have also
confirmed that this type of UDP
> > port switch is recognized by both Linux
and Cisco stateful firewalls.
> >
> > There are a some complications that would
need to be handled:
> >
> > (1) You would need to protect against DoS
attacks that flood the server
with
> > fork requests. Possibly some variation
of --tls-auth that would
> > authenticate the initial packet before
the fork call.
> >
> > (2) If a client connects, gets
disconnected, then connects again, you
would
> > need to make sure that the old server
process gets killed before a new
> > server process is forked.
> >
> > Unfortunately I'm pretty busy right now
with my day job, so I may not
get to
> > this for a while. If you want to take a
shot at some kind of
> > implementation, I will do my best to
answer your questions.
> >
> > Best Regards,
> > James
> >
> > ----- Original Message -----
> > From: "Michael Grigoriev" <mag@ni...>
> > To: <openvpn-devel@li...>
> > Sent: Monday, July 22, 2002 6:53 PM
> > Subject: [Openvpn-devel] Multiple VPN
connections on the same port
> >
__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now!
http://channels.netscape.com/ns/browsers/download.jsp
Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/
