[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] assign addresses to clients by a certificate

  • Subject: Re: [Openvpn-users] assign addresses to clients by a certificate
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Wed, 15 Dec 2004 20:33:34 +0100 (CET)

On Wed, 15 Dec 2004, Irek Slonina wrote:

is there any way to assign an ip and subnet for a client depending on a
certificate, which he sends? I want to construct a configuration  in a
server mode.
Something like rightid="C=PL, ST=*, O=Some org, OU=bla, CN=*, E=*" which
is possible in openswan... but it can depend just on CN or E if it would
ease the configuration.

Yes, this is possible. There are at least two ways:

* Use a --client-connect script. The CN is passed as an environment variable, which you can use to return the correct IP address.

* Use --client-config-dir and create a config file for each CN.

See the man-page for more info about these options.

So far I was using openswan2 but I couldn't make a few tunnels because
of some packet mangling on the road between the clients and a server.
Because of my present configuration I need to do not change my network
structure - every client have an. /24 network in 10. subnetwork (from
10.1 up to 10.120) and server subnetwork is an /24 in 192.168 subnetwork
if it does matter.

I'm not sure I understand exacly what you want to achive, but you will probably want to use a diffrent subnet for the accual VPN addresses, like, where each client is assigned a /30 network out of this network. Then you can use --iroute and --route to route a whole 10.x.0.0/24 to every client if you need that.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list