On Wed, 15 Dec 2004, Irek Slonina wrote:
is there any way to assign an ip and subnet for a client depending on a
certificate, which he sends? I want to construct a configuration in a
Something like rightid="C=PL, ST=*, O=Some org, OU=bla, CN=*, E=*" which
is possible in openswan... but it can depend just on CN or E if it would
ease the configuration.
Yes, this is possible. There are at least two ways:
* Use a --client-connect script. The CN is passed as an environment
variable, which you can use to return the correct IP address.
* Use --client-config-dir and create a config file for each CN.
See the man-page for more info about these options.
So far I was using openswan2 but I couldn't make a few tunnels because
of some packet mangling on the road between the clients and a server.
Because of my present configuration I need to do not change my network
structure - every client have an. /24 network in 10. subnetwork (from
10.1 up to 10.120) and server subnetwork is an /24 in 192.168 subnetwork
if it does matter.
I'm not sure I understand exacly what you want to achive, but you will
probably want to use a diffrent subnet for the accual VPN addresses, like
172.16.0.0/24, where each client is assigned a /30 network out of this
network. Then you can use --iroute and --route to route a whole
10.x.0.0/24 to every client if you need that.
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Openvpn-users mailing list