Suppose we are setting up a company VPN, and we would like to establish separate access policies for 3 different classes of users: System administrators - full access to all machines on the networkĮmployees - access only to Samba/email serverĬontractors - access to a special server only If you want guaranteed assignment, use -ifconfig-push They do not guarantee that the given common name will always receive the given IP address. Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. This is useful if you would like to treat file as a configuration file. If seconds = 0, file will be treated as read-only. Maintaining a long-term association is good for clients because it allows them to effectively use the -persist-tun option.įile is a comma-delimited ASCII file, formatted as. The goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool. Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown. We use it to ensure the same user is assigned the same IP when connected via VPN for audit purposes. You can pre-configure the file and set seconds = 0 to tell OpenVPN to only read the file. You should be able to do this with the ifconfig-pool-persist config option. If it is free, the client is given the adress he asked before If the adress is already taken, the handshake fails. Client Connect to the VPN server and asks for a specific adress ("give me the ip: 172.16.0.22").And everything I tried didn't succeed.īasically, what I have in mind would be the following: Is it possible to set the ip adress in the client configuration file ? I didn't found anything in the documentation about that particular topic. This is a requirement since generating one certificate for each devices will be too constraining (moreover, we don't want to change the configuration of the VPN server if we add a device in the system) I am aware of client-config-dir and ifconfig-push but i cannot use them because all my devices use the same certificate ( duplicate-cn is enabled). In my use case, the devices are all identified by a number and I would like their ip adresses to match their ID (e.g: the device number 6 will have an ip in X.X.X.6). I am setting up a VPN network with a lot of little devices (running OpenWRT).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |