[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: Multiple users profiles

  • Subject: Re: [Openvpn-users] Re: Multiple users profiles
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Thu, 9 Dec 2004 15:46:33 -0700 (MST)

On Thu, 9 Dec 2004, Robert Hendrickx wrote:

> > If I understand correctly what you want, this can mostly be done with
> > either the client-config-dir directive or a client-connect script.
> It's true, it can be done, but I don't think it's really scalable.
> > The distinction is that all instances use a single tap address, so you'd
> > want to have your firewall rules based not on what tap address traffic is
> > coming from, but rather what chain it's in, and have your learn-address
> > script tell the firewall to send traffic into a specific chain based on
> > what iP it's coming from.
> The dynamic updating of firewall chains is, for me, quite difficult to
> handle...  First of all, you must always be sure that even in case of a
> crash, of connectivity lost, or other strange event, your chain is still
> correct, and does not give incorrect access to someone who received the
> same address than a precedent connexion. Secondly, for those who use
> some kind of rules generator for the Firewall part (I use Fwbuilder),
> it's not possible to keep a specific chain for this purpose...  and
> you're never sure when the rules are 'reloaded', and all your current
> connexions lost !

I think the flexibility exists in 2.0 to handle this problem without 
resorting to dynamic firewall rules, such as

* Run multiple daemons for each access group, and statically firewall 
based on TUN/TAP interface, or

* Write a client-connect/disconnect script or plugin that queries LDAP 
or Radius and uses the common name of the client to segregate into a 
an appropriate IP address range which already has static firewall access 

You could even use the client-connect/disconnect plugin mechanism to allow
multiple OpenVPN daemons running on different machines to query a
centralized user profile server, making the multiple server daemons
functionally identical from the client's perspective.

The clients could then connect to a randomly selected server within this
cloud of identically configured VPN daemons, which would provide load
balancing & failover (this is supported by allowing clients to specify a
list of "remote" directives).


Openvpn-users mailing list