>On Tue, 22 Aug 2023 08:20:24 +0000 (UTC), Jason Long via Openvpn-users ><openvpn-users@lists.sourceforge.net> wrote:
>Yes. The file under the CCD directory is exactly as the Common Name of the >client. >So if you have set a requirement for the client to have a ccd entry in order to >connect and this client has exactly that, of course it will be able to connect! >What is the problem? >Yes. Why can the client connect to my OpenVPN server when the IP range is not >correct? >Which IP range? >Client *connect* is not depending on any specific "IP range". >If the client has a valid server IP address in its ovpn files for where the >server is listening for connection *and* the client can reach this IP then the >server will get the connection information and check the validity. Basically >starting the connection process. >For example if you require the clients to have ccd entries then if it has a >file >there and all other checks are also positive to validate the client it will be >connected. >However, what it can do after it has connected depends on all your *other* >config items which you fail to show... >And based on all your other posts here you are trying to misuse the OpenVPN >server in ways that are non-standard to say the least... >Regarding the ccd operations I have 3 classes of VPN clients connecting using >*different* *ports* on the server's single IP address. So my server hardware >has >a single NIC linked to from the Internet via port forwarding on the gateway >router. >And the OpenVPN server runs several service instances on the different ports. >Each port is served by a *different* openvpn server instance defined by its own >conf file under /etc/openvpn/server/. >These servers use *different* ccd directories like /etc/openvpn/ccd_server1, >/etc/openvpn/ccd_server2 and /etc/openvpn/ccd_server3 (obviously my names are >not exactly these, but different from each other. >AND in each server instance conf file the ccd dir is defined by a line with >*the >full path* to the dir to use, all different and *unique* to that server >instance. Your example shows a single dir name without any path information, >which is bad programming IMV. >My 3 different classes of clients are: >- Full access clients routed to *both* the internal server side LAN and the >Internet. These act like they were located on the office LAN. >- Local access clients only routed on to the LAN but not back out to the >Internet. They use their own Internet gateway for all other access. >Used by people needing access to company resources on the LAN but which do not >need to go extra steps for Internet access. >- Web access clients are only routed back out to the Internet and cannot access >the LAN. This is how the commercial VPN services work to circumvent >geoblocking. >I use this for a few people that need to be located inside our country for some >web access and we do not want to use any insecure commercial service for that. >-- >Bo Berglund >Developer in Sweden Hello, My server and client use range 10.0.2.X: Server: 10.0.2.15 Client: 10.0.2.16 I created a "ccd" directory under the "/etc/openvpn" directory, and inside this directory I created a file with the CN's name of the client (client). In order for the client to connect to the server, I must write the below lines to the server.conf: client-config-dir ccd ccd-exclusive route 10.0.2.0 255.255.255.0 And add the following line to the "/etc/openvpn/ccd/client" file: iroute 10.0.2.0 255.255.255.0 But, if I change the 10.0.2.0 to any IP address, then my client can connect to the OpenVPN server. Is this Normal? I think what is important is the file name under the /etc/openvpn/ccd" directory. Am I right? _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
