[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Client ip part of certificate

  • Subject: Re: [Openvpn-users] Client ip part of certificate
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Fri, 12 Nov 2004 12:24:33 +0100 (CET)

On Fri, 12 Nov 2004, Michel Van den Bergh wrote:

In response to my own last email. Another option would be to make a directive on the server side which makes it possible to hand out ip's based on the credentials of the client. This is maybe the most elegant solution.

Funny you bring this up! There has been a discussion about this the last days in the following thread:

IP address hijacking in OpenVPN 2.0

It is already possible to hand out ip's based on the CN in the client certificate. You can use either a ccd file or a client-connect script. See the man page for more info.

When using tun interfaces OpenVPN protects against the user changing his IP address manually, but not with tap, which is what is beeing discussed in the thread refered to above.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list