Is there any sort of subnet size limitation I should be aware of? Like, if I tell OpenVPN a "server" directive with a /19 specified, should I expect any problems from that? (the routing an firewalling rules are straightforward, and there won't actually be _that_ many clients at this point, but if I have to roll my own address-management, just allocating 1k-address subnets eases some pains...).
On 11/26/19 4:28 PM, Joe Patterson wrote: > On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen > <rozzin.o...@hackerposse.com> wrote: >> >> On 11/26/19 5:36 AM, Gert Doering wrote: >>> Hi, >>> >>> On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: >>>> Is there some way to set up an OpenVPN server with multiple distinct VPN >>>> segments behind >>>> a common listening port, such that I can dispatch connections based on >>>> which CA signed >>>> the client certificate? >>> >>> With intermediate CAs, this might work. With distinct CAs that have >>> nothing to with each other, not sure how to get the server to trust >>> all of them. >>> >>>> I've trying to avoid having different config-files on the clients if >>>> possible, >>>> but having different keys and certificates is fine. >>> >>> Your client certificates *could* encode different meaning into the >>> DN, like >>> >>> client-marketing-1234 >>> client-tech-567 >>> >>> and then have the client-connect script shell out client options (IP >>> addresses, possibly VLANs, ...) according to the "marketing" or "tech" >>> part. >> >> Yeah--I've actually done some things with client-connect and tls-verify >> scripts already, >> e.g. dynamic DNS updates and custom logging of things like >> certificate-expiries. >> >> Can I actually use different *server-side* configuration options like >> "route" and "ifconfig-pool" >> for different subsets of clients of a single server instance if feed them >> into the tempfile >> from a client-connect script? > > pretty sure not, I think you can only feed things that you would have > been able to put in a ccd file (so ifconfig-push, yes. ifconfig-pool, > no. iroute yes, route no). But you can roll your own dynamic IP > address assignment, and pass it as ifconfig-push. And while you can't > pass "route" directives, you certainly can (assuming the script is > running with the appropriate privileges) run an "ip route" command to > do what you would have done with the route directive. > > -Joe > -- "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))." _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users