Eric,
Yup. I re-read Section 7, and found the line describing what you're talking
about.
"When client1 connects, the disable option will be passed to the server,
preventing the connection from continuing. Other options can be passed,
such as ifconfig for static IP addresses, pushing different routes, and
more."
So it appears anything per user routes I want to include should be in this
temporary file. Thanks guys for the support, and for writing an awesome
book!
On Wed, Apr 27, 2016 at 11:03 AM, <ecr...@secure-computing.net> wrote:
> Scott,
>
> You can push quite a few options in the --client-connect script, as well,
> potentially completely replacing a CCD entry, depending upon what you
> push. There shouldn't be any need to dynamically write-out a CCD file.
>
> Eric F Crist
>
>
>
>
> On 2016-04-27 12:02, Scott Crooks wrote:
>
>> Hey Jan,
>>
>> Thank you for the recommendation, I actually purchased your book, and
>> read through it all of yesterday at work. After reading Section 7
>> about scripts (see the specific section here:
>> http://imgur.com/EskezTX, I took a screenshot) it seems the best way
>> to accomplish the following:
>>
>> * No Internet traffic routed through the VPN
>> * Per user firewall rules on the server
>> * Per user routes pushed to each user, while using the same client
>> side configuration
>>
>> Would be to have a script that did the following:
>>
>> * First pulled firewall rules from LDAP, and placed them in the
>> `client-config-dir` as a file so that the routes are pushed
>> dynamically to each client
>> * Secondly, used `learn-address` to process those same firewall
>> rules
>>
>> using iptables on the server side
>>
>> It seems that the only way to dynamically push routes to clients is
>> the client config directory. Is that right? Did I miss something?
>>
>> On Tue, Apr 26, 2016 at 2:09 AM, Jan Just Keijser <janj...@nikhef.nl>
>> wrote:
>>
>> Hi,
>>>
>>> Scott Crooks wrote:
>>>
>>> Greetings,
>>>>
>>>> Is there documentation available that lists, in detail, the
>>>> process of when a user connects to an OpenVPN server? I am wanting
>>>> to have an OpenVPN server that has the following requirements:
>>>>
>>>> - Authenticates users via LDAP (got this part figured out already)
>>>> - Pulls per user firewall rules from LDAP, and pushes them
>>>> dynamically to each user
>>>> - Does not route Internet traffic through the VPN
>>>>
>>>> I get confused as to whether I should be calling the per user
>>>> firewall script using `learn-address` or `up`, and when each is
>>>> executed.
>>>>
>>>
>>> this is explained in detail in the book "Mastering OpenVPN" by Eric
>>> Crist and me.
>>> As David already explained, you'll want to take a look at
>>> --client-connect and --learn-address .
>>>
>>> HTH,
>>>
>>> JJK
>>>
>>
>> --
>>
>> Scott Crooks (王虎)
>>
>> LinkedIn: http://www.linkedin.com/in/jshcrooks
>>
>>
>> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>
--
Scott Crooks (王虎)
LinkedIn: http://www.linkedin.com/in/jshcrooks
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
