Can anyone show me how to filter (change bandwidth, delay, etc) of one or more users connecting to OpenVPN based on their Client Certificate Name?
Why I would like to use the Client Cert name is I could have 100's of users connecting to OpenVPN and I would like to individually limit the bandwidth of each client
Many thanks
You can use the directives client-connect <cmd> and client-disconnect <cmd>.
An environment variable $common_name is passed to the script specified at <cmd> and can be evaluated to use specific tc settings on that particular client as follows:
#!/bin/bash
if [ "$common_name" == "client1" ]; then
downrate=100mbit
uprate=100mbit
elif [ "$common_name" == "client2" ]; then
downrate=10mbit
uprate=10mbit
else
downrate=10kbit
uprate=10kbit
fi
tc qdisc add dev "$dev" root handle 1: htb
tc qdisc add dev "$dev" handle ffff: ingress
# Limit traffic from VPN server to client
tc class add dev "$dev" parent 1: classid 1:1 htb rate "$downrate"
tc filter add dev "$dev" parent 1:0 protocol ip prio 1 \
u32 match ip dst "$ifconfig_pool_remote_ip"/32 flowid 1:1
# Limit traffic from client to VPN server
tc filter add dev "$dev" parent ffff:0 protocol ip prio 1 \
u32 match ip src "$ifconfig_pool_remote_ip"/32 \
police rate "$uprate" burst 80k drop flowid :1
The following environment variables are relevant:
$common_name: containing the client CN-name$ifconfig_pool_remote_ip: containing the client remote vpn IP$dev: containing the tun interfaceA detailed setup can be found in this answer.
