Pretty sure there isn't a size limitation, however if you're going to roll your own address management, you probably don't want to use the "server" directive. Look in the documentation, "server" is a shortcut to a whole big chunk of other commands, only some of which you actually want. You want "mode server" and "tls-server", and "ifconfig" and "route", but you don't want the "ifconfig-pool", because you're going to be doing that on your own.
-Joe On Wed, Nov 27, 2019 at 11:11 AM Joshua Judson Rosen <rozzin.o...@hackerposse.com> wrote: > > Is there any sort of subnet size limitation I should be aware of? Like, > if I tell OpenVPN a "server" directive with a /19 specified, should I expect > any problems from that? > (the routing an firewalling rules are straightforward, and there won't > actually be _that_ many > clients at this point, but if I have to roll my own address-management, just > allocating 1k-address > subnets eases some pains...). > > On 11/26/19 4:28 PM, Joe Patterson wrote: > > On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen > > <rozzin.o...@hackerposse.com> wrote: > >> > >> On 11/26/19 5:36 AM, Gert Doering wrote: > >>> Hi, > >>> > >>> On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: > >>>> Is there some way to set up an OpenVPN server with multiple distinct VPN > >>>> segments behind > >>>> a common listening port, such that I can dispatch connections based on > >>>> which CA signed > >>>> the client certificate? > >>> > >>> With intermediate CAs, this might work. With distinct CAs that have > >>> nothing to with each other, not sure how to get the server to trust > >>> all of them. > >>> > >>>> I've trying to avoid having different config-files on the clients if > >>>> possible, > >>>> but having different keys and certificates is fine. > >>> > >>> Your client certificates *could* encode different meaning into the > >>> DN, like > >>> > >>> client-marketing-1234 > >>> client-tech-567 > >>> > >>> and then have the client-connect script shell out client options (IP > >>> addresses, possibly VLANs, ...) according to the "marketing" or "tech" > >>> part. > >> > >> Yeah--I've actually done some things with client-connect and tls-verify > >> scripts already, > >> e.g. dynamic DNS updates and custom logging of things like > >> certificate-expiries. > >> > >> Can I actually use different *server-side* configuration options like > >> "route" and "ifconfig-pool" > >> for different subsets of clients of a single server instance if feed them > >> into the tempfile > >> from a client-connect script? > > > > pretty sure not, I think you can only feed things that you would have > > been able to put in a ccd file (so ifconfig-push, yes. ifconfig-pool, > > no. iroute yes, route no). But you can roll your own dynamic IP > > address assignment, and pass it as ifconfig-push. And while you can't > > pass "route" directives, you certainly can (assuming the script is > > running with the appropriate privileges) run an "ip route" command to > > do what you would have done with the route directive. > > > > -Joe > > > > -- > "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))." _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
