Would be possible to implement the following features:

Matthias Kruzenski matthias.kruzenski at gmail.com
Fri Dec 15 09:17:53 PST 2017


would be possible to implement the following features:

1.) provide the X.509 subject and X.509 fingerprint of the client cert
as environment variable in the connect-script and disconnect script.
Maybe also the valus of the server cert.

This would be very useful to check if a cert is valid. For example,
the connect script could send these values to an http api via wget. In
this way it's possible to blacklist certs.

2.) allow the connect-script to write a 'per-user' config file. It
works like this:

Before the connect script is called, a random temp file is created in
the temp directory, for example /tmp/ocserv-12345

This file path is passed as an argument to the connect-script.

The connect-script write 'per-user' config values into the temp file.
echo "key=value" >> "$1"

The server reads the file after the script was executed.

This would be very useful to have the IP address configured by an http
api queried in the connect-script. This is a much more flexible and
universal solution. OpenVPN also has this functionality.

3.) Is it possible to have only one tunnel interface for all clients?
Same like in OpenVPN or StrongSwan VTI setup? I don't want to have
1000 interfaces for 1000 clients.

4.) A command line command to disconnect a single client by username
or virtual ip.

More information about the openconnect-devel mailing list