Re: [Openvpn-users] Forcing a specified IP address

[Klaus Thielking-Riechert <klaus.thielking-riechert@xxxxxxxxxx>]

Damir,

On Sat, Mar 04, 2006 at 01:29:54PM +0100, Damir Dezeljin wrote:

> Is it possible to force a specified IP address to be used by the client 
> depending on its RSA certificate?

> I know I can use the push options to give some values to the client, 
> however I would like to drop a connection if the client doesn't accept 
> those values or if he changes its IP address?
> This way I would like to achieve a limited access per-client basis.

You should take a look into the options "client-config-dir" and
"ccd-exclusive". 

> Is it possible to use a bridged and/or routerd configuration based on 
> client certificates?

No. You habe to decide on a per process base which kind of setup you are
using. The openvpn process itself needs to know at his startup
if he has to use a tun or a tap device. For your requirement you have to
use two different openvpn processes: one for the bridging setup and the
other one for the routing setup. In order to restrict the access to
these processes you might use different CAs.

> Few of my users need access to our LAN and so they are currently using a 
> pridged network. Now I would like to implement a routed network for 
> certain users as I understood it is easier to filter this trafic using 
> iptables. This way only one port would be open for user connections. 
> Afterwards a user will be connected to a bridged network with an IP from 
> the 10.100.100.x range; on the other hand, outsources would be connected 
> to a routed network with IPs in range e.g. 192.168.100.x .

Of course, it makes sense two use a different environment for
outsourcers.

Best regards,

  Klaus

Attachment: signature.asc
Description: Digital signature