A comment on your [1] reference. The issue of remote-user vs enterprise is an old one - that affects many software applications - not just openvpn. I personally think the proper solution is to implement NAC: make "the network/enterprise" audit the remote host and only allow it if it meets expectations. As such I don't think openvpn has to solve this problem itself, as "the enterprise" cares a lot more about the remote machine than whether or not the remote user has injected a couple of routes into the local routing table. eg Windows AV status.
I think openvpn is quite entitled to act as a "mere" vpn solution, "the enterprise" should invoke a more over-arching solution (such as NAC with NAC agents) to ensure policy compliance. Jason On 01/03/12 10:36, Alon Bar-Lev wrote: > 2012/2/29 Gert Doering <g...@greenie.muc.de>: >> Hi, >> >> On Wed, Feb 29, 2012 at 07:43:18PM +0100, Carsten Krüger wrote: >>>> Part of the assumption here is "the user controls the openvpn config", >>>> and as such, he can make openvpn.exe run arbitrary scripts anyway - and >>>> to stop this from being a problem, just run openvpn.exe with your uid. >>> What operation could be in script that is usefull when it's executed >>> in user context. >>> >>> I never used script with openvpn. I've no idea which are real world >>> applications for it. >> Scripts are for creative uses that the programmers of openvpn have not >> foreseen. Like "after the VPN is up, auto-sync all your git repositories" >> or "open up a few xterms with ssh's to $internalhosts". >> >> David had some other idea recently, which I forgot. > This is a great example why this functionality should *MOVE OUT* of > the openvpn code base. > The UI can monitor OpenVPN and run scripts when such events are > detected via the management interface. > The UI already runs in the context of the interactive user. > > I would like to receive replies to[1]. > > Thanks, > Alon. > > [1] http://sourceforge.net/mailarchive/message.php?msg_id=28910374 > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
