On Sat, Feb 25, 2017 at 4:20 PM, David Sommerseth <[email protected].
topphemmelig.net> wrote:
> OpenVPN does however not give up on a connection too easily if the local
> network layer fails. As long as the OpenVPN client doesn't stop running
> when the local network layer fails, the computer can even get a new IP
> address and the OpenVPN server will in most cases accept that (that's
> the newer peer-id support, enabled by default). AFAIR, there are no
> script hooks which catches this state.
>
> In other cases, that mostly causes a re-negotiation or a hard reset
> which means re-establishing of the connection. Re-negotiation are
> usually identifiable that the --client-disconnect script have not been
> executed. On hard-resets, --client-disconnect and --learn-address
> scripts will be runs.
>
While this could be a way to identify re-auth, it may be much "simpler" if
--management-client-auth is used instead of auth-user-pass-verify scripts
or plugins. Setting up a handler for authenticating via management may look
a little more involved, but your get the advantage of receiving re-auth vs
new connection info, possibility to send back auth-failed messages, handle
static as well as dynamic 2FA etc.
See management-notes.txt o see how it works.
As David mentioned, identifying a reconnect due to local network hiccup vs
actual disconnects may be hard to impossible, but it seldom matters as you
have to authenticate the user anyway. So accept the token if its valid
which will be the case if the client got a ping-restart. Else return
client-deny to generate AUTH_FAILED and thus trigger a full
username/password auth.
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
