Re: [Openvpn-devel] features

2010-07-24 Thread Davide Brini 
On Sat, 24 Jul 2010 12:30:09 -0700 Alex T  wrote:

> I have 2 suggestions regarding openvpn (client mode):
> - the use of SHA512 with the TLS ciphers

OpenVPN does not implement any encryption; it relies on OpenSSL. So, if
the OpenSSL library used by OpenVPN supports it, so does OpenVPN.

> - some kind of route / firewall manipulation for the Windows client.
> If the client is set up to route all Internet traffic via the VPN,
> sometimes when the internet (especially the wireless connection) is lost,
> all the internet traffic is using the local link, not the VPN ... this
> might become a security issue. I saw a different VPN client (paid
> version, NCP secure IPSEC client is called) that , on startup, if the
> current profile is set to route all traffic via the VPN, manipulates the
> Windows routes , deleting the default gateway and routing only the VPN
> server ip to the local gateway. If the VPN tunnel is not up, then the
> Internet won't work.

If I understand you correctly, you may try pushing

redirect-gateway

instead of

redirect-gateway def1

to the client. The former overwrites the default gateway rather than
creating the two /1 routes.

However, I'm not sure about what happens if the VPN goes down (ie, leave
routing table as it is - which is what you want - or restore old default
gateway?) You can find out quite easily by just trying.

-- 
D.

Re: [Openvpn-devel] features

2010-07-24 Thread Peter Stuge 
Alex T wrote:
> - some kind of route / firewall manipulation for the Windows client.

Try:

push "ip-win32 dynamic"
push "redirect-gateway def1"


//Peter

[Openvpn-devel] features

2010-07-24 Thread Alex T 
Hello,

I have 2 suggestions regarding openvpn (client mode):
- the use of SHA512 with the TLS ciphers
- some kind of route / firewall manipulation for the Windows client.
If the client is set up to route all Internet traffic via the VPN, sometimes
when the internet (especially the wireless connection) is lost, all the
internet traffic is using the local link, not the VPN ... this might become
a security issue. I saw a different VPN client (paid version, NCP secure
IPSEC client is called) that , on startup, if the current profile is set to
route all traffic via the VPN, manipulates the Windows routes ,
deleting the default gateway and routing only the VPN server ip
to the local gateway. If the VPN tunnel is not up, then the
Internet won't work.
On Linux this is easy to solve via the firewall or by routing,
but on Windows this seems more difficult, especially on older
versions like XP.
 I believe this features should be considered
in a future version. If this is already available, then i could not find
it ...

Thank You,
Alex