Re: [Openvpn-users] Making OpenVPN addresses dependent on the certificate

[Erich Titl <erich.titl@xxxxxxxx>]

James

James Yonan wrote:

> On Sat, 2 Apr 2005, Erich Titl wrote:
>
>  
>
> > Hi
> >
> > I read the HOWTO about client specific policies 
> > http://openvpn.net/howto.html#policy. Is there a way to have multiple 
> > address pools dependent on the client certificate (comparable to 
> > connections in FreeSWan) so one could easily define multiple group 
> > access policies.
> >    
>
> Right now the --ifconfig-pool directive (and macros like --server and
> --server-bridge which use it) only support a single pool per OpenVPN
> daemon.  This is mostly because those who want to use multiple address
> pools have already decided to use server-side per-client customizations
> through either --client-config-dir or --client-connect, and don't really
> need the ifconfig-pool feature any longer.
>
> So basically, there's two ways to do this:
>
> (1) Static Method: Use --client-config-dir, and create a file for each
> client with an ifconfig-push directive indicating a static address.  This 
> is described in the HOWTO.
>
> (2) Dynamic Method: Use --client-connect/--client-disconnect scripting 
> and implement your own pools in the script based on the common name.
>  
This sounds good, would you mind pointing me at the corresponding
documentation. I looked at the sample scripts, especially into verify-cn
and found it was easy to determine contents from the client certificate.
How can I dynamically assign address tuples, routes and other DHCP
information based on this information. I reckon there must be hooks in
the product providing this functionality.

Thanks

Erich




____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users