Design question
-
Hi!
I have a plan to configure vpn server on port 443 for about 450 devices (used /23)…
250-300 of them with one set of rules
100 of them other set
50 of them other setAuth via LDAP (AD).
Some users 2 devices (same ldap username) and both of them require different set of rules (access).So I disabled username as common name in .inc file (btw this should be configurable option) and issued 2 certs with different common names for this client that I can use with client override. For second device I created ovveride with static IP and I can manage rules just fine.
Would this be best approach?
For example:
192.168.1.0/23 is subnet
192.168.1.2 - 192.168.2.50 –> One IP assigment pool (default pool)
192.168.2.51-192.168.2.150 --> Second pool (client override)
192.168.2.151-192.168.2.200 --> third pool (client override)
192.168.2.201-END --> exception pool, config one by one (client override)This way I can work with aliases and craft FW rules really nice but there is a lot of manual work with client ovverides.
Thoughts and suggestions are most welcome :)
P.S.
1. Only one vpn server is possible
2. 443 TCP is a must
3. Topology subnet is a must
4. TUN only -
:)
No opinions at all?
Is this soo bad cfg approach that noone won`t even comment it? :)