extended user & IP management with OpenVPN

ichrispa · 08-26-2010, 02:53 PM

Hi everyone,

I am looking into OpenVPN because I need to configure a heavily firewalled network for remote access.

I have configured OpenVPN before, however not for this kind of extensive network usage (just to connect to a single LAN).

What I want to do is the following:

There are two user groups: staff and guests. Guests can access the 10.1.0.0/16 IP range, staff both the 10.0.0.0/16 and the 10.1.0.0/16 ranges. I want to create two certificates: one for the staff one for guests respectively.

In pseudo-syntax, something like this:

Code:

group staff {
     identified by certificate "staff.crt"
     server 10.8.0.0 255.255.255.0
     push route 10.0.0.0/16
     push route 10.1.0.0/16
}

group guests {
     identified by certificate "guest.crt"
     server 10.8.1.0 255.255.255.0
     push route 10.1.0.0/16
}

All I can find on the OpenVPN site is how to configure OpenVPN to server a dynamic IP range to a user group and then assign individual IPs on a certificate basis (staff1, staff2, etc) using the client-config-dir. But there seems to be no documented way to create two separate pools.

Since I want to avoid running two different OpenVPN servers to handle the two user groups, I wanted to ask around if someone has a solution for this.

thx

quanta · 08-27-2010, 12:19 PM

FYI:

Quote:

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2

ichrispa · 08-28-2010, 09:04 AM

Thanks for the reply quanta, but this excerpt from the sample config does what I mentioned above.

Supposing I have given the server the following directive:

client-config-dir ccd

Code:

server 10.9.0.0 255.255.0.0 #This would create an address pool for all connecting clients
route 10.9.0.0 255.255.255.252 #Route this subnet over VPN (info for the server)

Now Adding the following line to the Thelonius config

Code:

ifconfig push 10.9.0.1 10.9.0.2 #Push a single IP to Thelonious (must be taken from successive /30 subnets)

would assign the vpn client connecting with Thelonius's certificate that one IP Address. Not a pool. So there can be no two Clients using the Thelonious certificate at the same time without conflict.

I want a dynamic IP pool per client.