Hi, On Sun, May 15, 2016 at 11:11:06AM +0200, Chris Laif wrote: [..] > > Or just not using --pull at all, and statically configuring --ifconfig > > and --route according to your needs. > > > > To some extent, you have to trust the VPN server anyway - you're sending > > your IP packets there, and after decryption, the server can see them in > > the plain. By virtue of its certificate, the server shows itself to be > > trusted (for some definition of trust). > > I agree with you that we have to trust the VPN with the data/pakets we > send to the other endpoint. > > My problem is, that the remote administrator might 'inject' arbitrary > IP addresses/networks conflicting with my existing (local) network. He > might do this by malicious intent or even by accident (renumbering his > network, overlapping with other networks on our side). In our current > setup, we have a 'VPN hub' connecting to 10+ partner networks. If any > of the partners changes his network topology, this might clash with > other partner networks. And no, unfortunately we can not negotiate > fixed IP addresses with all of the partners. This is why I vote for > implementing 'ifconfig-limit' and 'route-limit' statements or some > other mechanism to protect our setup.
OK, I can see that in your setup (with multiple VPNs connecting to a hub, not "just the client") more tight control is desireable. I'm not promising anything - this is a fairly special-case request, and we already have sooo many special-case options that tend to get broken if we change other bits of the code - it should be able to implement these (route, ifconfig, ipv4 and ipv6) in a way that is not touched much by other code bits - and maybe we can even come up with a more general "--pull-option-filter <script>" thing where options get run through an external script that implements local policy, and returns only those options that are acceptable, or throws an error if things cannot go on... I'd actually prefer the latter (a generic script) because once we have these four options for your requirements, the next one will show up and ask for a DHCP filter, and then we'll see something else again. I'm not going to run out and implement it "right now", though - busy with lots of other open ends... - and maybe someone else can beat me to it, and I just need to review the result :-) So - to ensure that this is not forgotten: can you put this as a feature with into our trac on http://community.openvpn.net/openvpn/newticket please? (You need to register and login first) thanks, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
