Re: [Openvpn-users] Re: User-IP pair

[James Yonan <jim@xxxxxxxxx>]

On Thu, 5 May 2005, John E. Peterson wrote:

> That was actually and interesting question because I think it answers 
> something that I noticed.  IP addresses are tied to certificates.  What 
> seems to be wierd is that IP's seem to be created and tied in by the order 
> the certs are logged in first time, NOT the number itself.
> 
> What I have noticed for instance is if users log in first time in this 
> order:
> 
> cert02    --->  IP01
> cert04    --->  IP02
> cert01    --->  IP03
> cert03    --->  IP04
> 
> that IP's are generated and "locked" in that order.

Right, that's the designed behavior.  IP addresses are tied to certs, and
certs can be fully alphabetic -- they don't need to have embedded numbers
in their common names.  So OpenVPN allocates IP addresses in the order of
connection, not by extracting any embedded number in the common name.

> In MY case, IP's then end up being locked to a particular workstation. 
> (which 99% of the time is a particular user).  Now, the question becomes, 
> why do you want to assign IP's by USER?  I happen to be running on a Windows 
> Domain, so no matter what IP someone is from they are restricted by their 
> login.

If you are using user/pass auth (with or without certs), you can use the 
"username-as-common-name" flag on the server to have OpenVPN use the 
username rather than the common name as its "name" for the connection.

James

> JP
> ----- Original Message ----- 
> From: "Charles Duffy" <cduffy@xxxxxxxxxxx>
> To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
> Sent: Wednesday, May 04, 2005 8:58 PM
> Subject: [Openvpn-users] Re: User-IP pair
> 
> 
> > On Wed, 04 May 2005 19:34:58 -0500, Luis Daniel Lucio Quiroz wrote:
> >
> >> Is it a way to make OpenVPN to assign a IP to a particular User no 
> >> matters
> >> on what workstation it's logged?
> >
> > Are certificates specific to the workstations or carried around by the
> > users (ie. on a USB key)? If the latter, it's easy -- use a
> > client-config-dir with config files specifying the IP to use, and there
> > you are. (OTOH, if your goal is to trace back from an IP to the user who's
> > logged on, you can dynamically add DNS entries as part of your
> > learn-address scripts, which is what I do; the IPs may vary, but the
> > addresses stay the same). Otherwise, you can use username-as-common-name
> > to have the client-config-dir indexed by usernames; or you can have a
> > client-connect script that looks at the "username" variable to decide what
> > IP to assign.
> >
> > So, yes -- there are several ways to do this.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: NEC IT Guy Games.
> > Get your fingers limbered up and give it your best shot. 4 great events, 4
> > opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
> > win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> > 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.
> Get your fingers limbered up and give it your best shot. 4 great events, 4
> opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
> win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users