[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: Multiple users profiles

  • Subject: [Openvpn-users] Re: Multiple users profiles
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Wed, 08 Dec 2004 09:16:03 -0600

On Wed, 08 Dec 2004 14:10:25 +0100, Robert Hendrickx wrote:

> I think it would be nice in only one instance, based on a user name or a
> list of client cert IDs, to map each new connexion to some defined
> profiles, with a specific tap interface and a specific configuration (IP
> range, policies, ...). It would ease the moving of a user from one
> profile to the other (no client configuration to change), and give a
> more scalable solution for complex needs (teleworking, extranets, ...)

If I understand correctly what you want, this can mostly be done with
either the client-config-dir directive or a client-connect script.

The distinction is that all instances use a single tap address, so you'd
want to have your firewall rules based not on what tap address traffic is
coming from, but rather what chain it's in, and have your learn-address
script tell the firewall to send traffic into a specific chain based on
what iP it's coming from.

That way, users share the same IP range but still have different rights.

> In a perfect world, it would even be possible to receive this "profile"
> information from a LDAP database...

Your client-connect script could query LDAP and return the appropriate

Openvpn-users mailing list