On Tue, 6 Sep 2022 16:00:20 +0200, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote:
>On 06/09/2022 15:42, Bo Berglund wrote: >> On Tue, 6 Sep 2022 15:23:29 +0200, David Sommerseth >> <open...@sf.lists.topphemmelig.net> wrote: >> >>> On 06/09/2022 10:14, Bo Berglund wrote: >>>> 2. Find a way to push the blocking of persist-tun via a ccd command for >>>> this >>>> client only. But it might not be possible if the persisted tun is in >>>> operation already when the client reaches the server? >>> >>> Unfortunately, this is not possible to push. This is only possible to >>> set in the local configuration file. Long story short: It's related to >>> when this option is parsed; which is before it starts to connect to the >>> remote server. >> >> Figured as much! >> It stands to reason that a client function executed *before* there is an >> actual >> connection to the server cannot be changed by a push with a different >> argument. >> >> Thanks for the clarification! >> >> So I have to tell the person at the remote location to bring the router back >> when he travels to Sweden next so I can modify the config file. > >When doing that, I'd recommend you to ensure you can SSH into this >router without needing the VPN. Use SSH keys and possibly restrict the >IP ranges to networks you know you can connect from (typically ISP >subnets and such like). But doing it without VPN is hard when the ISP is not providing a public IP address to the connected device... I had a thread about a similar such connection here back in March: Subject: "Remote RPi unit connected by VPN, how to SSH to it via its tunnel from LAN device?" It was when I had to attach an RPi unit directly to the fiber interface on my summer home and connect to it remotely. THis was done by the RPi connecting a tunnel back home with client-to-client enabled. Then I could access it using SSH from my home LAN (with proper routing set up). Worked fine. >Having a backdoor like this is not necessarily too insecure, especially >not when the IP range is restricted and the authentication is sane and >solid (SSH keys; not passwords). And it can save you a lot of troubles >later on. > >You mentioned this was an ASUS RT-51UC ... I see that the ASUS RT-51U >model is supported by OpenWRT[0], but I don't know what the difference >between the UC and U models might be. If you're not running OpenWRT, I >would recommend you to take that approach. OpenVPN is available here as >well as a functional SSH server and iptables. > >[0] <https://openwrt.org/toh/asus/rt-ac51u> When I configured the router 4 months or so back I forgot to enable Telnet (SSH is not available on the RT-AC51U router firmware)... My plan is to make it possible to access the router via the tunnel IP from here using the terminal interface. In that case I could modify the config files on the system via the connected tunnel in the future. But I must enable these items (both Telnet and Setup page) first in the GUI of course, so for a later day... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
