Different subnets for different common names

  • Hello, I'm using pfsense 2.0.1 to create an openvpn server for several clients (all clients are ubuntu boxes), the thing is that the boxes are gouped by clients and boxes belonging to client A should not be able to ping/reach boxes of client B

    so I thought to group clients by common name and use the client override option to assign different subnets to each group. I do not know if there are easier options to achieve the goal, if there are please share it with me, now about the configuration:

    on my main server I set up

    dev Tun (I dont think that I could have used bridge tap for different groups of subnet, am I mistaken?)
    compression Lzo
    Tunnel Network
    Inter-client communication ON
    Duplicate Connections ON

    then on the override for the single certificate I set up:
    Tunnel Network

    the idea was to get subnet for client A, subnet for client B and so on each on with routes to only reach its own subnet, but with this setup each client gets the SAME IP address of, so I am clearly missing something, how do I setup STATIC IP clients for different subnets based on a different certificate? is it even possible? maybe I could use dhcp? ldap? if you think that there is a simpler solution to blind groups of clients from each other I'd be more than eager to listen to your ideas..


  • Try setting ifconfig-push in cso for each client

    See http://openvpn.net/index.php/open-source/documentation/howto.html

    Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Win32 driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:

    [  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
        [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
        [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
        [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
        [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
        [101,102] [105,106] [109,110] [113,114] [117,118]
        [121,122] [125,126] [129,130] [133,134] [137,138]
        [141,142] [145,146] [149,150] [153,154] [157,158]
        [161,162] [165,166] [169,170] [173,174] [177,178]
        [181,182] [185,186] [189,190] [193,194] [197,198]
        [201,202] [205,206] [209,210] [213,214] [217,218]
        [221,222] [225,226] [229,230] [233,234] [237,238]
        [241,242] [245,246] [249,250] [253,254]



    Should be possible to deny inter-client communication with simple firewall rules.

  • no it doesnt work, at least not if I put the pushes in the advanced options because like I said they always get the same ip address (the last entry)

    I should populate this directive in each ccd subdir for each client, this means to find the ccd subdir on freebsd and add manually the ip for each client.. and each time I have to add a client I must keep track of ips, normally I have hundreds of clients to connect so I dont guess it's viable

    is it not possible to have openvpn always give a different /30 subnet without manually specifying each time the ip? since I am not worried about the rules that deny the interconnection between different subnets (like you said it's an easy thing to accomplish) my main issue is the assignation of different ip ranges for different common names..
    maybe I could try changing the topology? could that not be demanded by the vpn to a dhcp server? there must be a way..

  • I tried to change the topology to a subnet one, so I configured the override with a blank tunnel network but with:
    push "topology subnet"; push "ifconfig";

    in the advanced box, but on the logs I see this:

    PUSH: Received control message: 'PUSH_REPLY,route-gateway,topology subnet,ping 10,ping-restart 60,topology subnet,ifconfig,ifconfig'

    it STILL gets the ifconfig from the server, ignoring the override, so I put the checkbox on the override setting "Server Definitions: Prevent this client from receiving any server-defined client settings." and here is what I get:

    PUSH: Received control message: 'PUSH_REPLY,topology subnet,ifconfig,ifconfig'

    AGAIN the ifconfig from the server!! why? I told the override to prevent the client from recieving any server settings why it's still pushing the ifconfig and why the client is eating it? the client should take the overridden ifconfig only..