[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Restrict access to VPN Server by CN


  • Subject: Re: [Openvpn-users] Restrict access to VPN Server by CN
  • From: Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx>
  • Date: Mon, 04 Jun 2007 18:33:03 -0300



Stefan Bethke escreveu:
Am 04.06.2007 um 18:01 schrieb Torsten Krah:

  
I've got a box with more than one vpn server instance running.

Now i've got the scenario, that i need to restrict the access to these
instances based on the CN of the certificate.
Is this possible?
CN=A should have Access to VPN instance 1 - but not to the second one.
CN=B should have access to both.
How could this be done?

All the certificates are still valid - CRL is no choice - i only  
have to
make sure, that each CN can only access the vpn he is allowed to  
connect
to.
    

Use --client-config-dir and --ccd-exclusive: only clients who have a  
config file in the CCD will be allowed to connect.

  
    Or maybe get some script for validating who can and who cant connect and get it running with --connect-script.

    You'll still need to edit something to get the desired behavior, but it will be a single file for all your CNs. with client-config-dir and ccd-exclusive you would need a bunch of files (in fact one for each allowed-to-connect CN).

    scripts called in --client-connect can use the enviroment variable $common_name, set by OpenVPN, which will give you the ability to filter based on client-certificate CN.



-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@xxxxxxxxxxxxxx
	My SPAMTRAP, do not email it