Can Authentication with ldap and assign specific ip for client ?

Scripts to manage certificates or generate config files
quinh
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 20, 2017 7:55 am

Can Authentication with ldap and assign specific ip for client ?

Postby quinh » Mon Feb 20, 2017 8:25 am

Hello everyone. Im learnning to setup a openvpn server. And i have some questions about this:
+ im done with authenticate with LDAP, then i try to assign IP 25.1.94.122 for my account named quinh. I have my ccd/quinh file :
ifconfig-push 25.1.94.122 25.1.94.123
push "route 192.168.12.0 255.255.255.0"

But it still not working. Did i miss something ?

+ I know we can 2 step authentication with keypair and userpass. Then what happen if my cert name diffrent from my userpass ? I mean with only one keypair we can login with any userpass that authenticated by ldap ???

Im not english. so forgive me if my words is hard to understand. Thankyou !

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2577
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can Authentication with ldap and assign specific ip for client ?

Postby TinCanTech » Mon Feb 20, 2017 12:53 pm

quinh wrote:ifconfig-push 25.1.94.122 25.1.94.123
This IP is not valid for --topology net30.

See --topology in The Manual v24x

Please see:
HOWTO: Request Help !

quinh
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 20, 2017 7:55 am

Re: Can Authentication with ldap and assign specific ip for client ?

Postby quinh » Mon Feb 20, 2017 3:24 pm

TinCanTech wrote:
quinh wrote:ifconfig-push 25.1.94.122 25.1.94.123
This IP is not valid for --topology net30.

See --topology in The Manual v24x

Please see:
HOWTO: Request Help !


It still working in my way. Instead of waiting for your reply. I try some testcase. Then i realize something:
+ the name in ccd is common name of keypair. that mean cant assign ip for user authenticated by LDAP.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2577
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can Authentication with ldap and assign specific ip for client ?

Postby TinCanTech » Mon Feb 20, 2017 3:46 pm

TinCanTech wrote:
quinh wrote:ifconfig-push 25.1.94.122 25.1.94.123
This IP is not valid for --topology net30.
quinh wrote:It still working in my way
It is still not a valid ip in --topology net30 because .123 is a broadcast address ..

But .. because we don't have any of your configs or logs, I will just assume that you know what you are doing.

quinh
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 20, 2017 7:55 am

Re: Can Authentication with ldap and assign specific ip for client ?

Postby quinh » Mon Feb 20, 2017 4:23 pm

Thank you for your support. Here is my config file:
server.conf:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 25.1.94.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3


my ccd/hungp:

Code: Select all

ifconfig-push 25.1.94.122 25.1.94.123
push "route 192.168.12.0 255.255.255.0"




output in client :

Code: Select all

Mon Feb 20 09:17:37 2017 /sbin/ip addr add dev tun0 local 25.1.94.122 peer 25.1.94.123
Mon Feb 20 09:17:37 2017 /sbin/ip route add 25.1.94.1/32 via 25.1.94.123
Mon Feb 20 09:17:37 2017 /sbin/ip route add 192.168.12.0/24 via 25.1.94.123
Mon Feb 20 09:17:37 2017 GID set to nogroup
Mon Feb 20 09:17:37 2017 UID set to nobody
Mon Feb 20 09:17:37 2017 Initialization Sequence Completed


something wrong? At first i just wana thank you for your helping. I have too too much confused thing about openvpn need to explain...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2577
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can Authentication with ldap and assign specific ip for client ?

Postby TinCanTech » Mon Feb 20, 2017 5:40 pm

quinh wrote:ifconfig-push 25.1.94.122 25.1.94.123
The most likely correct address would be .122 .121

See this:

Code: Select all

Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:

    [  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
    [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
    [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
    [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
    [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
    [101,102] [105,106] [109,110] [113,114] [117,118]
==> [121,122] <== [125,126] [129,130] [133,134] [137,138]
    [141,142] [145,146] [149,150] [153,154] [157,158]
    [161,162] [165,166] [169,170] [173,174] [177,178]
    [181,182] [185,186] [189,190] [193,194] [197,198]
    [201,202] [205,206] [209,210] [213,214] [217,218]
    [221,222] [225,226] [229,230] [233,234] [237,238]
    [241,242] [245,246] [249,250] [253,254]
https://openvpn.net/index.php/open-source/documentation/howto.html#policy

quinh wrote: I have too too much confused thing about openvpn need to explain...
There is a lot to learn and I guess English is not your first language.

I highly recommend:
https://openvpn.net/index.php/open-source/documentation/howto.html

Copy & Paste that page into Google Translate.


Return to “Cert / Config management”

Who is online

Users browsing this forum: No registered users and 1 guest