Re: [Openvpn-devel] Re: [Openvpn-users] OpenVPN 2.0 and firewall
On Wed, 31 Mar 2004 18:39:45 -, you wrote: >Arkadiusz Patyk said: > >> Hi >> >> Two very significant things for me are: >> 1. In my configurations, VPN users have different rights to resources >> (access list on firewall - iptables). I have to know client IP to >> correctly setup firewall, how can i do this in 2.x ? How can i >> achieve this, in case of dynamic IP assignment > >You can use the --ipchange script which is passed the common name and source >IP address every time a client connects. I probably need to add a new >environmental variable that contains the dynamically allocated --ifconfig-pool >subnet. with dropping privileges and chroot it could be difficult ;( Is any script executed after the connection termination? >> 2. Is it possible to run few servers (each of them on their own tap) >> on the same machine? > >Yes, it is possible to run many '--mode server' servers on the same machine, >each having their own tun interface (tap interfaces are not supported yet in >--mode server mode). > >This would be a good way to differentiate access rights for different client >classes. Not in my particular case - i have diffrent access list for each user - N users = N server = openvpn 1.x ;-) -- Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org/] [IRC:areq ICQ:16231667 GG:1383] [AP3-6BONE] [AP14126-RIPE]
[Openvpn-devel] Re: [Openvpn-users] OpenVPN 2.0 and firewall
Arkadiusz Patyk said: > Hi > > Two very significant things for me are: > 1. In my configurations, VPN users have different rights to resources > (access list on firewall - iptables). I have to know client IP to > correctly setup firewall, how can i do this in 2.x ? How can i > achieve this, in case of dynamic IP assignment You can use the --ipchange script which is passed the common name and source IP address every time a client connects. I probably need to add a new environmental variable that contains the dynamically allocated --ifconfig-pool subnet. > 2. Is it possible to run few servers (each of them on their own tap) > on the same machine? Yes, it is possible to run many '--mode server' servers on the same machine, each having their own tun interface (tap interfaces are not supported yet in --mode server mode). This would be a good way to differentiate access rights for different client classes. James > -- > Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org/] > [IRC:areq ICQ:16231667 GG:1383] [AP3-6BONE] [AP14126-RIPE] > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Openvpn-users mailing list > openvpn-us...@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > --
