On 14/12/17 16:51, Jan Just Keijser wrote: > On 13/12/17 23:53, Selva Nair wrote: >> On Wed, Dec 13, 2017 at 5:04 PM, David Sommerseth >> <open...@sf.lists.topphemmelig.net> wrote: >>> On 13/12/17 09:55, Мастренко Иван wrote: >>>> I have custon client connect script that werifying user against some >>>> database, pushes some option to client if connection is allowed, or deny >>>> connection with logic based on data in database. >>>> If connection is DENIED, I want to send message to client. This message >>>> should specify deny reason. >>> The OpenVPN wire protocol actually supports it. But AFAIR, it's not been >>> made >>> available via plug-ins or script hooks. The clue is that the server pushes >>> AUTH_FAILED back to the client on authentication failures. The AUTH_FAILED >>> push can contain more details. This technique is more commonly used when >>> enabling the so-called dynamic challenge authentication (challenge/response >>> approach). Currently I believe this might only be available by using the >>> management interface. >>> >>> However, by adding your own type of AUTH_FAILED reasons, the client needs to >>> be capable of catching them and present them to the user. So your client >>> would need to tackle that in addition. >>> >>> I see one response here talks about using the "echo" approach too. But >>> IIRC, >>> that won't work as the AUTH_FAILED happens before anything else is being >>> pushed. >>> >> The way I understand it AUTH_FAILED is useful only to communicate >> authentication "failure" not for sending general messages to the >> client. The protocol uses it for triggering dynamic challenge for >> two-factor auth and is currently supported only using >> management-client-auth, not through plugins or scripts -- as David >> mentioned. >> >> Echo is a far better and more generic way of sending messages to an >> authenticated client --- patches to support echo messages in the >> Windows GUI is in the works. >> >> > For the sake of clarity: after reading David's and your mail , my conclusion > is that it is currently *NOT* possible to send a message back to an > unauthenticated client. Is this correct? That is correct. On authentication failures, AUTH_FAILED is sent back as a PUSH_REPLY. And that is the first which happens. If authentication passes, then some other functions builds up the proper PUSH_REPLY and sends that instead.
-- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
