Re: [Openvpn-devel] OpenVPN 2.0 feature request - fixed-address

[Arkadiusz Patyk]

On Thu, 1 Apr 2004 16:19:52 -, you wrote:

>Arkadiusz Patyk  said:
>> ifconfig-pool is fine, but I would need an option for IP
>> reservation for users.
>> The reservation could be realized on thebase of x509name
>> for example:
>> fixed-address 10.8.0.46
>/C=PL/ST=NA/O=Dot.net/CN=Maciej.Nowak/emailAddress=m.no...@firma.com
>> fixed-address 10.8.0.50
>/C=PL/ST=NA/O=Dot.net/CN=Zenon.Ptak/emailAddress=z.p...@firma.com
>> 
>> which would guarantee that user X always gets address Y
>> as option fixed-address in dhcpd
>> 
>> The possibility of IP reservation will simplify firewall configuration -
>> espesially if it is installed on other machine than openvpn server.
>
>Yes, I agree that this feature is necessary.  But I'm concerned that making
>options that take an x509 name as a parameter (as you propose with
>'fixed-address' above) might not be general enough.  I think that people are
>going to want the ability to arbitrarily customize the options which are
>pushed back to the client based on the client's x509 name.
>
>What if it were done by scripting?

Nice, it's OK for me. 

>A script would be called with the x509 name, and the script could then
>generate options which would either be executed locally or pushed to the 
>client.
>This would offer more general, programmatic control over customizing the
>tunnel based on the x509 name.

All options ?

-- 
Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org/]
[IRC:areq ICQ:16231667  GG:1383]  [AP3-6BONE] [AP14126-RIPE]

Re: [Openvpn-devel] OpenVPN 2.0 feature request - fixed-address

[James Yonan]

Arkadiusz Patyk  said:

> Hi
> 
> ifconfig-pool is fine, but I would need an option for IP
> reservation for users.
> The reservation could be realized on thebase of x509name
> 
> for example:
> 
> fixed-address 10.8.0.46
/C=PL/ST=NA/O=Dot.net/CN=Maciej.Nowak/emailAddress=m.no...@firma.com
> fixed-address 10.8.0.50
/C=PL/ST=NA/O=Dot.net/CN=Zenon.Ptak/emailAddress=z.p...@firma.com
> 
> which would guarantee that user X always gets address Y
> as option fixed-address in dhcpd
> 
> The possibility of IP reservation will simplify firewall configuration -
> espesially if it is installed on other machine than openvpn server.

Yes, I agree that this feature is necessary.  But I'm concerned that making
options that take an x509 name as a parameter (as you propose with
'fixed-address' above) might not be general enough.  I think that people are
going to want the ability to arbitrarily customize the options which are
pushed back to the client based on the client's x509 name.

What if it were done by scripting?

A script would be called with the x509 name, and the script could then
generate options which would either be executed locally or pushed to the client.

This would offer more general, programmatic control over customizing the
tunnel based on the x509 name.

James

[Openvpn-devel] OpenVPN 2.0 feature request - fixed-address

[Arkadiusz Patyk]

Hi

ifconfig-pool is fine, but I would need an option for IP
reservation for users.
The reservation could be realized on thebase of x509name

for example:

fixed-address 10.8.0.46 
/C=PL/ST=NA/O=Dot.net/CN=Maciej.Nowak/emailAddress=m.no...@firma.com
fixed-address 10.8.0.50 
/C=PL/ST=NA/O=Dot.net/CN=Zenon.Ptak/emailAddress=z.p...@firma.com

which would guarantee that user X always gets address Y
as option fixed-address in dhcpd

The possibility of IP reservation will simplify firewall configuration -
espesially if it is installed on other machine than openvpn server.

-- 
Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org]
[IRC:areq ICQ:16231667  GG:1383]  [AP3-6BONE] [AP14126-RIPE]