On Tue, Nov 26, 2019 at 5:38 AM Gert Doering <g...@greenie.muc.de> wrote: > > Hi, > > On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: > > Is there some way to set up an OpenVPN server with multiple distinct VPN > > segments behind > > a common listening port, such that I can dispatch connections based on > > which CA signed > > the client certificate? > > With intermediate CAs, this might work. With distinct CAs that have > nothing to with each other, not sure how to get the server to trust > all of them.
That's surprising to me... I've never tried it, but I always assumed that the ca file could contain multiple independent CA's, and so long as a cert was signed by one of them, it was considered valid. And actually, looking at the documentation, it says: "This file can have multiple certificates in .pem format, concatenated together." However, to the question at hand, as with so very many things with openvpn, this seems like something that's not built in, but you can certainly do it... I've played around some with writing programs to interact with the openvpn management interface, and when a client connects, you get a *lot* of information, with which you can choose to do whatever you want. You could have multiple CA's, independent or intermediate, or you could have one CA and give clients certificates with distinct OU's, which will come through the management interface like: ">CLIENT:ENV,X509_0_OU=Testing". And then your program interfacing with the management port can do whatever with that information, including but not limited to assigning IP addresses based on that info, or setting firewall rules based on it, or whatever. -Joe > > > I've trying to avoid having different config-files on the clients if > > possible, > > but having different keys and certificates is fine. > > Your client certificates *could* encode different meaning into the > DN, like > > client-marketing-1234 > client-tech-567 > > and then have the client-connect script shell out client options (IP > addresses, possibly VLANs, ...) according to the "marketing" or "tech" > part. > > > If it's not something that OpenVPN can manage itself, maybe there's some > > sort of > > proxy that I could put in front of OpenVPN? Sort-of like how slt can > > dispatch to different > > back-end TLS ports based on SNI, except based on the client credentials > > presented > > instead of SNI? > > Not that I'm aware. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
