Hi, On Mon, Mar 24, 2014 at 11:19:00AM -0400, Jason Frisvold wrote: > I read elsewhere that there was an upper limit of about 200 concurrent > users per openVPN instance. This was a post from 2010, though, so I'm > curious if this is still the limit.
No idea, TBH. Eric says it is still so, but I'd assume that CPU performance
has gone up, so more sessions may be possible.
The caveat is that OpenVPN is single-core, single-thread (which is
non-trivial to fix) so it won't nicely utilize modern multi-core systems
unless you run multiple instances.
How many clients you can connect depend on the client's profile, in the
end - clients that disconnect/reconnect frequently (mobile) cause more
load on the server than clients that just connect, and send a few
packets ("interactive login") every now and then...
> Our current VPN implementation assigns an IP based on LDAP group
> membership. There are several different IP pools available. I'd like
> to replicate this behavior in openVPN. Does openVPN support multiple IP
> pools? I realize I can run multiple instances of openVPN, but solving
> this at the user level is rough, at best.
Eric mentioned per-client-configs - this can be used to assign static
IP addresses per client, but (as far as I'm aware) there is currently
no way to configure multiple *pools* and assign clients to individual
pools, with the pool being managed by the OpenVPN server.
If you can get the LDAP server or "anything else" to manage the pool
and return a single IP address, you can use that in --client-connect
to tell OpenVPN "this is what this user gets!".
> I'm also planning on using post-auth scripts to build iptables rules on
> the openvpn server. The intention here is to use the ip pools as a
> large sieve and the iptables rules to provide additional security. Are
> there any known issues with this approach? It's similar to what I see
> on big iron solutions, but I haven't tried this with openVPN and linux
> as of yet.
"Should work fine"
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
pgpFK8wZV5MFt.pgp
Description: PGP signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
