On 25/04/16 20:02, Scott Crooks wrote: > Greetings, > > Is there documentation available that lists, in detail, the process of when a > user connects to an OpenVPN server? I am wanting to have an OpenVPN server > that has the following requirements: > > - Authenticates users via LDAP (got this part figured out already) > - Pulls per user firewall rules from LDAP, and pushes them dynamically to each > user > - Does not route Internet traffic through the VPN > > I get confused as to whether I should be calling the per user firewall script > using `learn-address` or `up`, and when each is executed. >
--up is called quite early, when the TUN interface is configured IIRC. This script-hook makes seldom sense on the server side. You might consider --client-connect instead on the server side. The order is something like this: --up --tls-verify --auth-user-pass-verify --client-connect --learn-address This is the order on the server side. Also beware that --learn-address may be called several times during a session. If you use UDP mode, it may take up to --ping-exit seconds before --learn-address with a 'delete' operation (and --client-disconnect) gets called. You can void this by adding --explicit-exit-notify in the client configs. For TCP mode, the TCP handshake will ensure the "down" scripts are run a lot quicker (and --explicit-exit-notify is not compatible with TCP mode). For you use-case, I'd say you should be able to do the LDAP authentication either via auth-pam or one of the auth-ldap plug-ins available on the net, or use --auth-user-pass-verify. The firewall operations can then be executed via --learn-address. You might also be interested having a look at my eurephia project [1], which does much of what you seem to want. The only thing it is missing officially is LDAP support. I have started looking into LDAP authentication, but pulling firewall configs from LDAP is not currently covered (but not impossible). [1] http://www.eurephia.net/ -- kind regards, David Sommerseth ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
