Limiting scope of openVPN access

arstacey

Thanks jimp. Do you see any limits on how many people I can set up this way? Down the road, we may have as many as 500 users who are on the road, and I want to give each user a vpn that only accesses their own virtual desktop.

jimp

Just use a large enough subnet to accommodate your users * 4. So in your case, ~512*4=2048 IPs, So a /21 or a /20's worth of IPs in any of the private blocks would work.

Nachtfalke

Hi,

I noticed some problems with "Client Specific overrides".

I am using an OpenVPN Server with Tunnel Network 10.0.1.0/24

I tried with Client specific override tunnel network of 10.0.2.120/30

The Client could connect to the server but got no access. Thats ok, because of the wrong subnet.
Ok, I then deleted the complete client specific override for this clien/CN, restarted the OpenVPN Server but the client still got the IP of the 10.0.2.120/30 subnet.

I created again an client specific override for this client/CN and didn't choose any tunnel network (so it used the servers default) and then it conneted fine and got an IP of the 10.0.1.0/24 subnet.

Did I something wrong ?!

jimp

Yes, the static IPs for overrides must be within the tunnel network.

Nachtfalke

@jimp:

Yes, the static IPs for overrides must be within the tunnel network.

Yes, I wrote that in my previous post I think.

What I want so say is:

If I create an override for a client the override is working.
If I delete the override completely, than the override still exists.

jimp

You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

Nachtfalke

@jimp:

You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

Thanks. Good to know that but I restarted the OpenVPN Server after I did any changes.

–-- EDIT ----

I tested it again:

Restarting OpenVPN Server
OpenVPN-Server Tunnel Network is: 10.0.1.0/24
Client Specific Override Tunnel Network: 10.0.1.180/30
Restarting OpenVPN Server
Connecting Client
This is working. Clients IP is after connecting to the server: 10.0.1.181/30
Disconnecting client
Deleting Client specific override
Restarting server
Connecting Client
This is working. Client IP is still 10.0.1.181/30

I attached some screenshots.

OpenVPN-Server.JPG_thumb

Override.JPG_thumb

OVPN-IP.JPG_thumb

jimp

Does the file for that cn still exist in /var/etc/openvpn-csc?

Nachtfalke

Yes ist does exist:

ifconfig-push 10.0.1.181 10.0.1.182

jimp

I just pushed a fix, should be in new snaps soon

Nachtfalke

Hi,
it is working now for me now as expected.
I am using 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011

Thanks jimp!