Design question



  • Hi!

    I have a plan to configure vpn server on port 443 for about 450 devices (used /23)…
    250-300 of them with one set of rules
    100 of them other set
    50 of them other set

    Auth via LDAP (AD).
    Some users 2 devices (same ldap username) and both of them require different set of rules (access).

    So I disabled username as common name in .inc file (btw this should be configurable option) and issued 2 certs with different common names for this client that I can use with client override. For second device I created ovveride with static IP and I can manage rules just fine.

    Would this be best approach?

    For example:

    192.168.1.0/23 is subnet
    192.168.1.2 - 192.168.2.50 –> One IP assigment pool (default pool)
    192.168.2.51-192.168.2.150 --> Second pool (client override)
    192.168.2.151-192.168.2.200 --> third pool (client override)
    192.168.2.201-END --> exception pool, config one by one (client override)

    This way I can work with aliases and craft FW rules really nice but there is a lot of manual work with client ovverides.

    Thoughts and suggestions are most welcome :)

    P.S.
    1. Only one vpn server is possible
    2. 443 TCP is a must
    3. Topology subnet is a must
    4. TUN only



  • :)

    No opinions at all?
    Is this soo bad cfg approach that noone won`t even comment it? :)


Log in to reply