Scott, You can push quite a few options in the --client-connect script, as well, potentially completely replacing a CCD entry, depending upon what you push. There shouldn't be any need to dynamically write-out a CCD file.
Eric F Crist On 2016-04-27 12:02, Scott Crooks wrote: > Hey Jan, > > Thank you for the recommendation, I actually purchased your book, and > read through it all of yesterday at work. After reading Section 7 > about scripts (see the specific section here: > http://imgur.com/EskezTX, I took a screenshot) it seems the best way > to accomplish the following: > > * No Internet traffic routed through the VPN > * Per user firewall rules on the server > * Per user routes pushed to each user, while using the same client > side configuration > > Would be to have a script that did the following: > > * First pulled firewall rules from LDAP, and placed them in the > `client-config-dir` as a file so that the routes are pushed > dynamically to each client > * Secondly, used `learn-address` to process those same firewall rules > using iptables on the server side > > It seems that the only way to dynamically push routes to clients is > the client config directory. Is that right? Did I miss something? > > On Tue, Apr 26, 2016 at 2:09 AM, Jan Just Keijser <janj...@nikhef.nl> > wrote: > >> Hi, >> >> Scott Crooks wrote: >> >>> Greetings, >>> >>> Is there documentation available that lists, in detail, the >>> process of when a user connects to an OpenVPN server? I am wanting >>> to have an OpenVPN server that has the following requirements: >>> >>> - Authenticates users via LDAP (got this part figured out already) >>> - Pulls per user firewall rules from LDAP, and pushes them >>> dynamically to each user >>> - Does not route Internet traffic through the VPN >>> >>> I get confused as to whether I should be calling the per user >>> firewall script using `learn-address` or `up`, and when each is >>> executed. >> >> this is explained in detail in the book "Mastering OpenVPN" by Eric >> Crist and me. >> As David already explained, you'll want to take a look at >> --client-connect and --learn-address . >> >> HTH, >> >> JJK > > -- > > Scott Crooks (王虎) > > LinkedIn: http://www.linkedin.com/in/jshcrooks > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications > Manager > Applications Manager provides deep performance insights into multiple > tiers of > your business applications. It resolves application problems quickly > and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
