[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: Multiple users profiles

  • Subject: [Openvpn-users] Re: Multiple users profiles
  • From: Robert Hendrickx <robert_hendrickx@xxxxxxxx>
  • Date: Thu, 9 Dec 2004 13:47:55 +0100 (CET)

> If I understand correctly what you want, this can mostly be done with
> either the client-config-dir directive or a client-connect script.
It's true, it can be done, but I don't think it's really scalable.

> The distinction is that all instances use a single tap address, so you'd
> want to have your firewall rules based not on what tap address traffic is
> coming from, but rather what chain it's in, and have your learn-address
> script tell the firewall to send traffic into a specific chain based on
> what iP it's coming from.

The dynamic updating of firewall chains is, for me, quite difficult to handle...  First of all,
you must always be sure that even in case of a crash, of connectivity lost, or other strange
event, your chain is still correct, and does not give incorrect access to someone who received the
same address than a precedent connexion.
Secondly, for those who use some kind of rules generator for the Firewall part (I use Fwbuilder),
it's not possible to keep a specific chain for this purpose...  and you're never sure when the
rules are 'reloaded', and all your current connexions lost !

> That way, users share the same IP range but still have different rights.

Using complete different IP range also allows you to distinguish the user's profile on other
machines than your VPN server.  If you have multiple firewalls for diferent DMZ, you need well
known IP range to handle the security...

> Your client-connect script could query LDAP and return the appropriate
> directives.

It's true that all the profile selection can be delegated to scripts.

Robert Hendrickx.

Please, use only my address "robert.hendrickx@xxxxxxxxxxx"


Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ 
Avec Yahoo! faites un don et soutenez le Téléthon en cliquant sur http://www.telethon.fr/030-Don/10-10_Don.asp

Openvpn-users mailing list