2

Good Morning,

I need some help for a specific configuration in a server. Let's say I have two kind of people that will connect to my VPN. Pepole from Group A and people from Group B. I need them to have a different subnet. The only difference between those two group are the common name of the certificate.

So let say I have two subnet sub1: 10.0.1.0/24 sub2: 10.0.2.0/24

People from the group A have a certificat like A0000xxx People from the group B have a certificat like B0000xxx

I want people from the group A to connect to sub1 and people from the group B to connect to sub2

I thought about using the client-config-dir directive. On client connect, I will use a script to determine if they are from group A or B, and then I will create the good configuration. My problem is that I don't know how to give them the right adresses. I do not want to give them a staic ip but instead I would like for them to use a dynamic IP.

Is it possible to tell them to look for an adresses in a subnet ?

Thanks

[Edit]

So I somehow manage to do it but I would like to have some opinion on it

So I created a connect.sh script that actually manage to do it but need to be configured, and I used the client-config-dir like this

if [ ! -f configDir/${common_name} ]; then
        if ! grep -q "${common_name}" ipp.txt; then
                regexCA="^CA.*";
                regexFRFDV="^FRFDV.*";
                regexFRPC="^FRPC.*";
                outSet=255
                if [[ ${common_name} =~ $regexCA  ]]; then
                        i=2;
                        while  grep -q "10.0.0.$i" ipp.txt  ;
                        do
                                if [ $i == $outSet ] ; then
                                        break ;
                                fi
                                ((i=$i+1));
                        done
                        if [ $i == $outSet ] ; then
                                exit 1;
                        fi
                        echo "10.0.0.$i, ${common_name}" >> ipp.txt;
                        echo "ifconfig-push 10.0.0.$i 255.255.255.0" > configDir/${common_name};
                        echo "ifconfig-push 10.0.0.$i 255.255.255.0" > $1
                else
                        i=2;
                        while  grep -q "10.0.1.$i" ipp.txt ;
                        do
                                if [ $i == $outSet ]
                                then
                                        break;
                                fi
                                ((i=$i+1));
                        done
                        if [ $i == $outSet ] ; then
                                exit 1;
                        fi
                        echo "10.0.1.$i, ${common_name}" >> ipp.txt;
                        echo "ifconfig-push 10.0.1.$i 255.255.255.0" > configDir/${common_name};
                        echo "ifconfig-push 10.0.1.$i 255.255.255.0" > $1
                fi
        fi
fi
exit 0;

Tell me what you think about it

LinChan
  • 131
  • 5

1 Answers1

0

It is not possible to create different server-side subnets in client-config-dir configuration.

I would implement this by running two OpenVPN instances on different ports and different network configuration.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • Not possible to do that unfortunately, but I thought on something else, If i user server 10.0.0.0/16 and on client connect I use a script to give him a ip in a range that I choose (of Course I would use the ipp.txt file to check that I do not give the same ip twice) – LinChan Apr 18 '14 at 06:28
  • That should work too. – Tero Kilkanen Apr 20 '14 at 00:24