Hi, On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: > Is there some way to set up an OpenVPN server with multiple distinct VPN > segments behind > a common listening port, such that I can dispatch connections based on which > CA signed > the client certificate?
With intermediate CAs, this might work. With distinct CAs that have nothing to with each other, not sure how to get the server to trust all of them. > I've trying to avoid having different config-files on the clients if possible, > but having different keys and certificates is fine. Your client certificates *could* encode different meaning into the DN, like client-marketing-1234 client-tech-567 and then have the client-connect script shell out client options (IP addresses, possibly VLANs, ...) according to the "marketing" or "tech" part. > If it's not something that OpenVPN can manage itself, maybe there's some sort > of > proxy that I could put in front of OpenVPN? Sort-of like how slt can dispatch > to different > back-end TLS ports based on SNI, except based on the client credentials > presented > instead of SNI? Not that I'm aware. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users