Re: more VPN thoughts

Colin Walters wrote:
On Fri, 2004-11-12 at 23:01 +0100, Tom Parker wrote:
2) You're on a limited-access wireless (wired? never seen this, but theoretically possible for public "plug in a laptop" scenarios) network bouncing HTTP requests to a "switch on the VPN"/"do other auth things"

Yeah, I don't have any clever ideas for this.  A lot of users will
probably end up going to a web site first anyways, or they'll read the
"How to network" instructions which will say to go to a website.

I've got a couple of smart ideas, but I need to know how these places work. I'm guessing we're talking DNS setup to resolve all names to one particular IP address, or possibly some sort of smart packet filtering to bounce all packets to a particular address. The first we could theoretically detect (either by trying to resolve a couple of "definately not on the same host" names and seeing if they resolve to the same one - and comes to mind....), but the second one is harder. Might get around to lugging my laptop to one of the various places around here that do this and doing some experimentation, but if anyone knows any more about the details of those system, ideas are welcomed.

So these two things are related, but the limited-access/wifi auth
situation is just to really use the wireless at all - even after that
you need the VPN.  So, hm - we really want a way to know when we're
online so that we can start the VPN stuff.

I think the defining difference is what you can't get to - certain reasonably stable public-accessable servers vs. intranet/extranet servers. Of course, there is also the nasty pathological case (which happens in one place where I do some work) where *nothing* is allowed out except via the HTTP-only proxy (which incidentally doesn't like things like apt-get, so you need to lie and claim it's Firefox instead... but hey). Possibly we can mark this as a subcase of the limited network, but without any data re: where to go for more information. I guess that's probably a good idea for the scenario where we can't auto-detect the "access denied"/"more info on how to use this network" page - better to at least tell the user they're on a limited network so that they can try and do something about it on their own

This situation is also related to the (somewhat pathological, I suppose)
case of the "vpnonly" wireless network here at work which only lets you
do anything at all, including access to the Internet, over the VPN.

Well, I'd call that a case of the limited-access wireless network. That's what our wireless network has - everything bounces you to the "here's how to get the vpn software" page. Does your network bounce you to a page like that (or an "access denied" page, either way it's probably the same detection scenario)?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]