[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] duplicate-cn and persistent IP's

  • Subject: Re: [Openvpn-users] duplicate-cn and persistent IP's
  • From: "Serge Wautier" <serge@xxxxxxxxxxx>
  • Date: Tue, 10 Apr 2007 08:28:37 +0200

Obviously, emitting a certificate for each client would help. Would deployment be so difficult?

From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Taso A
Sent: mardi 10 avril 2007 4:44
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [Openvpn-users] duplicate-cn and persistent IP's


I am having some difficulty configuring persistent IP addresses for several remote machines. My physical set up includes multiple (four) different sites each with several machines that have static public IP addresses. I would like to create one certificate or authentication mechanism per site due to ease of deployment and ease of removal if the sites change. I am using the VPN tunnel to facilitate monitoring via SNMP and the monitor app ties to IP addresses (not hostnames) for montored devices, so my goal is to persist the VPN IP addresses for all the machines at all the sites that will be monitored.

So far I have successfully set up a site with a single certificate (using the duplicate-cn directive) however I can not find a way to persist the IP addresses given to each remote (static public IP) client. From what I have read the easiest way to persist IP's is to use the client-config-dir directive and issue a seperate certificate per client. Since I am using duplicate certs my clients all connect with the same common_name which eliminates the ability to have one client-config-dir file per client (based on common_name). The "shared" common_name also scuttles the ifconfig-pool-persist mechanism since it is based on common_name/ip address pairs.

I am hoping someone has a suggestion to try or can point to a solution I have overlooked in the docs/mailing lists. I am not entirely new to OpenVPN but this is the first time I have rolled out a configuration of this scale (about 60 machines, four sites, with potential for rapid growth). I can post my configuration files if that would help, but I don't think this is a problem with an existing configuration, but rather one I have yet to implement.

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
Openvpn-users mailing list