Re: more VPN thoughts

[Tom Parker <palfrey tevp net>]

Colin Walters wrote:
> On Fri, 2004-11-12 at 23:01 +0100, Tom Parker wrote:
> > 2) You're on a limited-access wireless (wired? never seen this, but 
> > theoretically possible for public "plug in a laptop" scenarios) network 
> > bouncing HTTP requests to a "switch on the VPN"/"do other auth things" 

> Yeah, I don't have any clever ideas for this.  A lot of users will
> probably end up going to a web site first anyways, or they'll read the
> "How to network" instructions which will say to go to a website.

I've got a couple of smart ideas, but I need to know how these places 
work. I'm guessing we're talking DNS setup to resolve all names to one 
particular IP address, or possibly some sort of smart packet filtering 
to bounce all packets to a particular address. The first we could 
theoretically detect (either by trying to resolve a couple of 
"definately not on the same host" names and seeing if they resolve to 
the same one - www.gnome.org and www.microsoft.com comes to mind....), 
but the second one is harder. Might get around to lugging my laptop to 
one of the various places around here that do this and doing some 
experimentation, but if anyone knows any more about the details of those 
system, ideas are welcomed.

> So these two things are related, but the limited-access/wifi auth
> situation is just to really use the wireless at all - even after that
> you need the VPN.  So, hm - we really want a way to know when we're
> online so that we can start the VPN stuff.

I think the defining difference is what you can't get to - certain 
reasonably stable public-accessable servers vs. intranet/extranet 
servers. Of course, there is also the nasty pathological case (which 
happens in one place where I do some work) where *nothing* is allowed 
out except via the HTTP-only proxy (which incidentally doesn't like 
things like apt-get, so you need to lie and claim it's Firefox 
instead... but hey). Possibly we can mark this as a subcase of the 
limited network, but without any data re: where to go for more 
information. I guess that's probably a good idea for the scenario where 
we can't auto-detect the "access denied"/"more info on how to use this 
network" page - better to at least tell the user they're on a limited 
network so that they can try and do something about it on their own

> This situation is also related to the (somewhat pathological, I suppose)
> case of the "vpnonly" wireless network here at work which only lets you
> do anything at all, including access to the Internet, over the VPN.  

Well, I'd call that a case of the limited-access wireless network. 
That's what our wireless network has - everything bounces you to the 
"here's how to get the vpn software" page. Does your network bounce you 
to a page like that (or an "access denied" page, either way it's 
probably the same detection scenario)?

Tom