|
|
Excellent BlaaT. I got it working... Thank you for your help. It set me in the right direction. Oh by the way. The IP address in my original post was Google, however, the security consciousness is much appreciated (to all albeit).. For some clarification on what I was trying to accomplish. I have a user that needs access to two file servers only. Instead of giving him full access through the VPN like a few other power users I wanted to restrict his access. Iptables was already configured to allow the 10.9.0.0 network completed access so I needed a new subnet (10.9.1.0). Anyway, I understand the way it works now so the skies the limit when restricting VPN access. :) [server.conf] route 10.9.1.0 255.255.255.0 [ccd] ifconfig-puch 10.9.1.249 10.9.1.250 I also created these IPTABLES rules to limit access. $IPTABLES -A FORWARD -i tun0 -m state --state NEW --jump LOG --log-prefix Tunnel_into_intranet_10.9.1.0 $IPTABLES -A FORWARD -i tun0 --source 10.9.1.0/24 -d $FILESERVER -p tcp -m tcp --dport 445 -j ACCEPT $IPTABLES -A FORWARD -i tun0 --source 10.9.1.0/24 -d $FILESERVER2 -p tcp -m tcp --dport 445 -j ACCEPT $IPTABLES -A FORWARD -i tun0 --source 10.9.1.0/24 -d $NS1 -p udp -m udp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -i tun0 --source 10.9.1.0/24 -d $NS2 -p udp -m udp --dport 53 -j ACCEPT -----Original Message----- From: BlaaT 0001 [mailto:blaat0001@xxxxxxxxx] Sent: Sunday, April 30, 2006 7:02 PM To: Arthur DiSegna; Open VPN Forum Subject: Re: [Openvpn-users] CCD Directory not being recognized? Hello, On 4/30/06, Arthur DiSegna <adisegna@xxxxxxxxxxxxxx> wrote: > > After reading the docs and some user posts my ccd directory is not > functioning as directed. The user still receives an IP address from > the pool instead of the specified IP in the user_cn file. > > [file location] > > /etc/openvpn/server.conf > /etc/openvpn/ccd/user_cn > > [server.conf] > > local 72.14.*.* # Better safe than sorry..... > port 1199 > proto udp > dev tun > plugin /etc/openvpn/openvpn-auth-pam.so login ca > /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key > /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh2048.pem server > 10.9.0.0 255.255.255.0 Your virtual VPN network will be 10.9.0.0/24 > ifconfig-pool-persist ipp.txt > push "route 192.168.1.0 255.255.255.0" > client-config-dir ccd > route 10.9.1.0 255.255.255.252 What is the 10.9.1.0/30 network all about? What are you trying to accomplish? > keepalive 10 120 > tls-auth /etc/openvpn/keys/ta.key 0 > comp-lzo > max-clients 10 > user nobody > group nobody > persist-key > persist-tun > status openvpn-status.log > verb 6 > tun-mtu 1400 > tun-mtu-extra 32 > fragment 1400 > mssfix 1400 > > [/etc/openvpn/ccd/user_cn] > ifconfig-push 10.9.1.1 10.9.1.2 The IP you're trying to push to the client is not part of the virtual OVPN network you're hosting (server 10.9.0.0 255.255.255.0). 10.9.0.0/30 (10.9.0.0 - 10.9.0.3) is used by the server. 10.9.0.4/30 (10.9.0.4 - 10.9.0.7) is the first available /30 subnet for a client. Try: echo "ifconfig-push 10.9.0.6 255.255.255.0 > /etc/openvpn/ccd/user_cn" This should configure the client with a static IP of 10.9.0.6 upon next connection. Make sure the client config includes the "client" directive (or at least "pull") Cheers. BlaaT ------------------------------------------------------- Get stuff done quickly with pre-integrated technology to make your job easier Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |