[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Restrict access to VPN Server by CN



Have the client-connect script at a place in the chroot? I guess yes.
Can it be a perl script?

I got a perl and a sh script - started openvpn with
--client-connect /etc/openvpn/access.pl

When i try to connect i always get: Could not execute shell command -
the script is there and executable bit set.

Whats wrong?

Torsten

Am Montag, den 04.06.2007, 18:33 -0300 schrieb Leonardo Rodrigues
Magalhães:
> 
> 
> Stefan Bethke escreveu: 
> > Am 04.06.2007 um 18:01 schrieb Torsten Krah:
> > 
> >   
> > > I've got a box with more than one vpn server instance running.
> > > 
> > > Now i've got the scenario, that i need to restrict the access to these
> > > instances based on the CN of the certificate.
> > > Is this possible?
> > > CN=A should have Access to VPN instance 1 - but not to the second one.
> > > CN=B should have access to both.
> > > How could this be done?
> > > 
> > > All the certificates are still valid - CRL is no choice - i only  
> > > have to
> > > make sure, that each CN can only access the vpn he is allowed to  
> > > connect
> > > to.
> > >     
> > 
> > Use --client-config-dir and --ccd-exclusive: only clients who have a  
> > config file in the CCD will be allowed to connect.
> > 
> >   
>     Or maybe get some script for validating who can and who cant
> connect and get it running with --connect-script.
> 
>     You'll still need to edit something to get the desired behavior,
> but it will be a single file for all your CNs. with client-config-dir
> and ccd-exclusive you would need a bunch of files (in fact one for
> each allowed-to-connect CN).
> 
>     scripts called in --client-connect can use the enviroment variable
> $common_name, set by OpenVPN, which will give you the ability to
> filter based on client-certificate CN.
> 
> 
> 
> -- 
> 
> 
> 	Atenciosamente / Sincerily,
> 	Leonardo Rodrigues
> 	Solutti Tecnologia
> 	http://www.solutti.com.br
> 
> 	Minha armadilha de SPAM, NÃO mandem email
> 	gertrudes@xxxxxxxxxxxxxx
> 	My SPAMTRAP, do not email it
> 
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature