[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Can I have more than one virtual ip scope on the VPN server?

  • Subject: Re: [Openvpn-users] Can I have more than one virtual ip scope on the VPN server?
  • From: Christopher Friedt <cfriedt@xxxxxxxxxxxxxxxxxx>
  • Date: Mon, 28 May 2007 09:55:12 +0200

Hi Arnstein,

We have somethiing similar at my company, where we have several 'zones' 
which are each run as a separate openvpn instance. As far as I know 
however, there is no way to do this without running multiple instances 
of openvpn.

 From a programming perspective, having a configuration file that 
identified zones wouldn't be so difficult to realize. Would anyone be up 
for the task?

I think what Arnstein is implying is having an original openvpn instance 
parse a text configuration file, and then have that process spawn either 
several 'child threads' or child processes to serve each of the 
specified zones.

Undoubtedly, this would probably introduce a few more security / 
heuristic considerations as well.

Since we're on the topic of features anyway, does anyone else think that 
it would be valuable to have a DB handle the key / certificate records 
as opposed to easy-rsa? SQLite maybe? A more general DB layer?

I wouldn't mind volunteering to put together a zone parser for openvpn 
configuration files if other people, and the openvpn maintainers, 
express some interest.


Arnstein.Nydahl@xxxxxxxxxxx wrote:
> I have different groups of clients which should have access to one or
> more subnets behind my firewall. Is it possible to set up the
> OpenVPN-server with more than one virtual IP scope, or do I have to run
> one openvpn-instance for each IP scope?
> Based on the how-to on openvpn.net, I have set up my system to have one
> dhcp-scope defined in server.conf for one group of users:
> <Server>, and thus giving out spesific IP
> addresses to all other clients to be able to control different access
> through the firewall. This requires me to make one config file
> (..openvpn/ccd/<commonname>) for each client I want to give a spesific
> address <if-config-push>. I want to avoid this manual
> process of making a config file for all other users than the ones
> belonging to my "basic" subnet (
> Oh, and my firewall is on a different server than my vpn-instance (if it
> matters..).
> Any insight is welcomed
> Arnstein
> ------------------------------------------------------------------------
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take______________________
OpenVPN mailing lists