Design question

  • Hi!

    I have a plan to configure vpn server on port 443 for about 450 devices (used /23)…
    250-300 of them with one set of rules
    100 of them other set
    50 of them other set

    Auth via LDAP (AD).
    Some users 2 devices (same ldap username) and both of them require different set of rules (access).

    So I disabled username as common name in .inc file (btw this should be configurable option) and issued 2 certs with different common names for this client that I can use with client override. For second device I created ovveride with static IP and I can manage rules just fine.

    Would this be best approach?

    For example: is subnet - –> One IP assigment pool (default pool) --> Second pool (client override) --> third pool (client override) --> exception pool, config one by one (client override)

    This way I can work with aliases and craft FW rules really nice but there is a lot of manual work with client ovverides.

    Thoughts and suggestions are most welcome :)

    1. Only one vpn server is possible
    2. 443 TCP is a must
    3. Topology subnet is a must
    4. TUN only

  • :)

    No opinions at all?
    Is this soo bad cfg approach that noone won`t even comment it? :)

Log in to reply