On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen <rozzin.o...@hackerposse.com> wrote: > > On 11/26/19 5:36 AM, Gert Doering wrote: > > Hi, > > > > On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: > >> Is there some way to set up an OpenVPN server with multiple distinct VPN > >> segments behind > >> a common listening port, such that I can dispatch connections based on > >> which CA signed > >> the client certificate? > > > > With intermediate CAs, this might work. With distinct CAs that have > > nothing to with each other, not sure how to get the server to trust > > all of them. > > > >> I've trying to avoid having different config-files on the clients if > >> possible, > >> but having different keys and certificates is fine. > > > > Your client certificates *could* encode different meaning into the > > DN, like > > > > client-marketing-1234 > > client-tech-567 > > > > and then have the client-connect script shell out client options (IP > > addresses, possibly VLANs, ...) according to the "marketing" or "tech" > > part. > > Yeah--I've actually done some things with client-connect and tls-verify > scripts already, > e.g. dynamic DNS updates and custom logging of things like > certificate-expiries. > > Can I actually use different *server-side* configuration options like "route" > and "ifconfig-pool" > for different subsets of clients of a single server instance if feed them > into the tempfile > from a client-connect script?
pretty sure not, I think you can only feed things that you would have been able to put in a ccd file (so ifconfig-push, yes. ifconfig-pool, no. iroute yes, route no). But you can roll your own dynamic IP address assignment, and pass it as ifconfig-push. And while you can't pass "route" directives, you certainly can (assuming the script is running with the appropriate privileges) run an "ip route" command to do what you would have done with the route directive. -Joe _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
