[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: Multiple users profiles

  • Subject: Re: [Openvpn-users] Re: Multiple users profiles
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Thu, 9 Dec 2004 08:31:13 -0500

On Thu, 9 Dec 2004 13:47:55 +0100 (CET), Robert Hendrickx
<robert_hendrickx@xxxxxxxx> wrote:
> > If I understand correctly what you want, this can mostly be done with
> > either the client-config-dir directive or a client-connect script.
> It's true, it can be done, but I don't think it's really scalable.

True, but what would be more scalable groups of certs perhaps
different configs based on the CA....

...or maybe different daemons for different groups?

> > The distinction is that all instances use a single tap address, so you'd
> > want to have your firewall rules based not on what tap address traffic is
> > coming from, but rather what chain it's in, and have your learn-address
> > script tell the firewall to send traffic into a specific chain based on
> > what iP it's coming from.
> The dynamic updating of firewall chains is, for me, quite difficult to handle...  First of all,
> you must always be sure that even in case of a crash, of connectivity lost, or other strange
> event, your chain is still correct, and does not give incorrect access to someone who received the
> same address than a precedent connexion.
> Secondly, for those who use some kind of rules generator for the Firewall part (I use Fwbuilder),
> it's not possible to keep a specific chain for this purpose...  and you're never sure when the
> rules are 'reloaded', and all your current connexions lost !
> > That way, users share the same IP range but still have different rights.
> Using complete different IP range also allows you to distinguish the user's profile on other
> machines than your VPN server.  If you have multiple firewalls for diferent DMZ, you need well
> known IP range to handle the security...
> > Your client-connect script could query LDAP and return the appropriate
> > directives.
> It's true that all the profile selection can be delegated to scripts.

Leonard Isham, CISSP 
Ostendo non ostento.

Openvpn-users mailing list