On 11/26/19 4:28 PM, Joe Patterson wrote: > On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen > <rozzin.o...@hackerposse.com> wrote: >> >> On 11/26/19 5:36 AM, Gert Doering wrote: >>> Your client certificates *could* encode different meaning into the >>> DN, like >>> >>> client-marketing-1234 >>> client-tech-567 >>> >>> and then have the client-connect script shell out client options (IP >>> addresses, possibly VLANs, ...) according to the "marketing" or "tech" >>> part. >> >> Yeah--I've actually done some things with client-connect and tls-verify >> scripts already, >> e.g. dynamic DNS updates and custom logging of things like >> certificate-expiries. >> >> Can I actually use different *server-side* configuration options like >> "route" and "ifconfig-pool" >> for different subsets of clients of a single server instance if feed them >> into the tempfile >> from a client-connect script? > > pretty sure not, I think you can only feed things that you would have > been able to put in a ccd file (so ifconfig-push, yes. ifconfig-pool, > no. iroute yes, route no). But you can roll your own dynamic IP > address assignment, and pass it as ifconfig-push. And while you can't > pass "route" directives, you certainly can (assuming the script is > running with the appropriate privileges) run an "ip route" command to > do what you would have done with the route directive.
That I'd have to roll my own address-allocation/-management is basically what I was afraid of :\ Actually, another concern was whether I'd have some sort of additional security concern to worry about: because right now, I have several distinct tun devices on the server, and I can have iptables distinguish between client-classes based on which tun device the traffic is coming from. Presumably the OpenVPN server won't actually let clients change their virtual IP addresses to something other than what the server pushed them via ifconfig-push? Using separate tun devices, I haven't had to worry about whether that was true.... _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
