Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Karl O. Pinc 
On 12/14/2010 04:22:53 PM, Vineet Kumar wrote:
> Sorry pl. explain the "intermediary" part. Is that supposed to solve
> the single telnet server accepting multiple *concurrent* client
> sessions?

Yes.  The multiple concurrent client sessions talk to a single 
telnet server via an intermediary.  The intermediary serializes
the requests made by the multiple concurrent sessions and feeds
the resulting stream to the single telnet session.

A simpleminded way to do this might be to dump the requests
into files in a directory that's monitored by incron, which
then feeds the commands to, say, socat or nc (netcat).
(Incron is a nice intermediary because it isolates the
requests -- they can be monitored for correctness etc.)
I've no idea if this is the right approach for your application.



Karl 
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Vineet Kumar 
Sorry pl. explain the "intermediary" part. Is that supposed to solve
the single telnet server accepting multiple *concurrent* client
sessions?

The interactive session part: not a requirement but we have no way to
disallow an interactive user from telnetting when we programmatically
plan to use the same IP:port.

Vineet
On Tue, Dec 14, 2010 at 12:28 PM, Peter Stuge  wrote:
> Vineet Kumar wrote:
>> You mean closing the telnet session after every use so that whoever
>> the next guy is gets served?
>
> No I mean creating an intermediary that will know about your use case
> and provide an interface that works.
>
>
>> say, an interactive telnet session
>
> Are they a requirement in your use case?
>
>
> //Peter
>
> --
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Peter Stuge 
Vineet Kumar wrote:
> You mean closing the telnet session after every use so that whoever
> the next guy is gets served?

No I mean creating an intermediary that will know about your use case
and provide an interface that works.


> say, an interactive telnet session

Are they a requirement in your use case?


//Peter

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Peter Stuge 
Vineet Kumar wrote:
> Are there ways around that : making telnet accept multiple sessions?

You could serialize your administrative requests somehow and only
ever have one entity use the admin interface.


//Peter

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread Vineet Kumar 
>From code inspection it seems like I need to have one PF-file/client.
So for 1000 clients connected this means 1000 files! That is the
bottleneck I am talking about. Also, in my use-case the plugin (which
spawns a separate thread) is the one who asynchronously wants to close
a socket. The important thing to note here is that this socket may not
be actively being served by openvpn process at the time of closing (by
plugin) and so packet filtering will never kick in.

So I am not sure if PF will help here. It will help of course if the
use-case is for closing a socket *the next time it is used*.
Hope I didn't confused folks with my use-case.

This is why I started with the telnet-client idea whereby my plugin
thread sends "kill IP:port" command via telnet to openvpn's management
listener. But the problem I will run into is the fact that telnet
somehow is written to only allow one telnet session at a time. So if
my plugin decides to use this session then at that instant in time no
one else can use this cool management feature.
Are there ways around that : making telnet accept multiple sessions?

Thanks,

Vineet
On Tue, Dec 14, 2010 at 9:52 AM, David Sommerseth
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 14/12/10 18:47, Vineet Kumar wrote:
>> Thanks for your response. This seems to involve file I/O and iptables
>> right? File I/O seems like a performance bottleneck, no?
>
> Maybe, if you're still using tapes and need to rewind the tape ;-)
>
> Seriously, not really.  All decent OSes today have pretty good caching,
> so most likely will things not manage to get written properly to disk
> before the file is read, parsed and removed again by OpenVPN.
>
> But to improve things a bit, you can always mount a directory for such
> files in a tmpfs (or a RAM disk) and let OpenVPN use that.
>
>
> kind regards,
>
> David Sommerseth
>
>
>
>> Vineet
>> On Mon, Dec 13, 2010 at 4:35 PM, chantra > > wrote:
>>
>>     Vineet,
>>
>>     I think you could use Packet filtering plugin hook and use the
>>     [KILL] tag at the end of the pf file .
>>
>>     See
>>     
>> http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=openvpn-plugin.h;h=56b0a701574e6913b3a714e941cdc4899dbea8e1;hb=HEAD#l316
>>
>>     I have never used it myself, but I think that should sort you out.
>>
>>     The doc says that this file may be dynamically updated during a
>>     client session. I assume the main process will pick up the change
>>     quick fast.
>>
>>     Chantra
>>
>>
>>     On Mon, 2010-12-13 at 15:16 -0800, Vineet Kumar wrote:
>>>     Hi,
>>>       If my openvpn plugin spawns its own thread and from that thread
>>>     wants to kill a tunnel specified by IP:port how can that be done?
>>>     (something like what the 'telnet' management provides: "kill IP:port")
>>>     This plugin is meant to do other stuff and in certain scenarios wants
>>>     to close specific tunnels.
>>>     First I thought of using the plugin to write code to establish a
>>>     telnet-client sessions and send over "kill IP:port" command. But I
>>>     notice an issue with the management listener: if I run more than 1
>>>     telnet session only the first one can pass through data whereas all
>>>     others' telnet sessions just hang.
>>>
>>>     Is this even possible?
>>>
>>>     Vineet
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0HrsYACgkQDC186MBRfrqm1ACfeP0/aDdh9Ss2Xuas583v+R5A
> dtkAnRBv1+3Ky9BOQwDana06n3xxKOMa
> =8ouQ
> -END PGP SIGNATURE-
>

Re: [Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-14 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/12/10 18:47, Vineet Kumar wrote:
> Thanks for your response. This seems to involve file I/O and iptables
> right? File I/O seems like a performance bottleneck, no?

Maybe, if you're still using tapes and need to rewind the tape ;-)

Seriously, not really.  All decent OSes today have pretty good caching,
so most likely will things not manage to get written properly to disk
before the file is read, parsed and removed again by OpenVPN.

But to improve things a bit, you can always mount a directory for such
files in a tmpfs (or a RAM disk) and let OpenVPN use that.


kind regards,

David Sommerseth



> Vineet
> On Mon, Dec 13, 2010 at 4:35 PM, chantra  > wrote:
> 
> Vineet,
> 
> I think you could use Packet filtering plugin hook and use the
> [KILL] tag at the end of the pf file .
> 
> See
> 
> http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=openvpn-plugin.h;h=56b0a701574e6913b3a714e941cdc4899dbea8e1;hb=HEAD#l316
> 
> I have never used it myself, but I think that should sort you out.
> 
> The doc says that this file may be dynamically updated during a
> client session. I assume the main process will pick up the change
> quick fast.
> 
> Chantra
> 
> 
> On Mon, 2010-12-13 at 15:16 -0800, Vineet Kumar wrote:
>> Hi,
>>   If my openvpn plugin spawns its own thread and from that thread
>> wants to kill a tunnel specified by IP:port how can that be done?
>> (something like what the 'telnet' management provides: "kill IP:port")
>> This plugin is meant to do other stuff and in certain scenarios wants
>> to close specific tunnels.
>> First I thought of using the plugin to write code to establish a
>> telnet-client sessions and send over "kill IP:port" command. But I
>> notice an issue with the management listener: if I run more than 1
>> telnet session only the first one can pass through data whereas all
>> others' telnet sessions just hang.
>>
>> Is this even possible?
>>
>> Vineet
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0HrsYACgkQDC186MBRfrqm1ACfeP0/aDdh9Ss2Xuas583v+R5A
dtkAnRBv1+3Ky9BOQwDana06n3xxKOMa
=8ouQ
-END PGP SIGNATURE-

[Openvpn-devel] Can *plugin* kill specific ovpn tunnel?...

2010-12-13 Thread Vineet Kumar 
Hi,
  If my openvpn plugin spawns its own thread and from that thread
wants to kill a tunnel specified by IP:port how can that be done?
(something like what the 'telnet' management provides: "kill IP:port")
This plugin is meant to do other stuff and in certain scenarios wants
to close specific tunnels.
First I thought of using the plugin to write code to establish a
telnet-client sessions and send over "kill IP:port" command. But I
notice an issue with the management listener: if I run more than 1
telnet session only the first one can pass through data whereas all
others' telnet sessions just hang.

Is this even possible?

Vineet