Hi, On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: > Is there some way to set up an OpenVPN server with multiple distinct VPN > segments behind > a common listening port, such that I can dispatch connections based on which > CA signed > the client certificate?
With intermediate CAs, this might work. With distinct CAs that have
nothing to with each other, not sure how to get the server to trust
all of them.
> I've trying to avoid having different config-files on the clients if possible,
> but having different keys and certificates is fine.
Your client certificates *could* encode different meaning into the
DN, like
client-marketing-1234
client-tech-567
and then have the client-connect script shell out client options (IP
addresses, possibly VLANs, ...) according to the "marketing" or "tech"
part.
> If it's not something that OpenVPN can manage itself, maybe there's some sort
> of
> proxy that I could put in front of OpenVPN? Sort-of like how slt can dispatch
> to different
> back-end TLS ports based on SNI, except based on the client credentials
> presented
> instead of SNI?
Not that I'm aware.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
