Configure openvpn for several access type and authenticaion methods in load balancing
Posted: Thu Nov 07, 2019 4:00 pm
I installed and configured an openvpn server for my guests for now with pam authentication.
I have several questions about how and if is possible configure openvpn for my needs.
1a) I would like to know if is it possible to have mixed authentication, pam + ldap + radius + certificates or some of them in the same configuration ?
1b) In case it is not possible, is possible to use LDAP authentication and have several kinds of access ?
I mean, i have several VPN clients
- guests, that would have access to some networks only
- admins, that would have access to all networks (but maybe not internet through the VPN)
- internet users, that would have access to some networks and internet through the VPN too
I will use 3 different networks for each kind of access suppose 172.16.1.0 - 172.16.2.0 and 172.16.3.0 (just for example).
I know i will need iptables rules to divide accesses based on the network where an user will be translated, this is not a problem, i know how to setup a firewall.
I searched and found this document https://openvpn.net/community-resources/how-to/#scope
but while i understand the server network configuration, i don't understand where the common-name has to be used if in the client configuration or in some other way
2) the ccd file will ifconfig-push a network ip for each kind of access in your example (admin or contractors), but is not possible to use an entire network or subnet like for the server statement for example
ifconfig-push 172.16.1.1 172.16.1.254
for each of the network i need ?
3) If i have to use only LDAP authentication how can i divide several kinds of access based on the same user ?
I mean sometime a user called "soprano" needs only to have access like guests, sometimes like admins and sometimes like internet users, is it possible with only a server configuration to do this ?
and how the server choose which access to give at that user ? I suspect using the common-name, and here i go back to the question where i have to put the common-name ?
4) If i use LDAP can i use some information stored on the LDAP for the common-name ?
5) if i use more openvpn servers (2 or 3) i will have to use different networks for each kind of access ?
I mean for troubleshooting purpose is preferable to have
openvpn1
172.16.1.0 guests
172.16.2.0 admins
172.16.3.0 internet users
openvpn2
172.16.21.0 guests
172.16.22.0 admins
172.16.23.0 internet users
openvpn3
172.16.31.0 guests
172.16.32.0 admins
172.16.33.0 internet users
so when i will have some problems i will know directly on which server to search for information or logs
6) i would like to know if is better to have 1-2 servers with more CPU or more servers with single CPU ? Is openvpn to use more CPU simultaneously ?
Thanks for now
soprano
I have several questions about how and if is possible configure openvpn for my needs.
1a) I would like to know if is it possible to have mixed authentication, pam + ldap + radius + certificates or some of them in the same configuration ?
1b) In case it is not possible, is possible to use LDAP authentication and have several kinds of access ?
I mean, i have several VPN clients
- guests, that would have access to some networks only
- admins, that would have access to all networks (but maybe not internet through the VPN)
- internet users, that would have access to some networks and internet through the VPN too
I will use 3 different networks for each kind of access suppose 172.16.1.0 - 172.16.2.0 and 172.16.3.0 (just for example).
I know i will need iptables rules to divide accesses based on the network where an user will be translated, this is not a problem, i know how to setup a firewall.
I searched and found this document https://openvpn.net/community-resources/how-to/#scope
but while i understand the server network configuration, i don't understand where the common-name has to be used if in the client configuration or in some other way
2) the ccd file will ifconfig-push a network ip for each kind of access in your example (admin or contractors), but is not possible to use an entire network or subnet like for the server statement for example
ifconfig-push 172.16.1.1 172.16.1.254
for each of the network i need ?
3) If i have to use only LDAP authentication how can i divide several kinds of access based on the same user ?
I mean sometime a user called "soprano" needs only to have access like guests, sometimes like admins and sometimes like internet users, is it possible with only a server configuration to do this ?
and how the server choose which access to give at that user ? I suspect using the common-name, and here i go back to the question where i have to put the common-name ?
4) If i use LDAP can i use some information stored on the LDAP for the common-name ?
5) if i use more openvpn servers (2 or 3) i will have to use different networks for each kind of access ?
I mean for troubleshooting purpose is preferable to have
openvpn1
172.16.1.0 guests
172.16.2.0 admins
172.16.3.0 internet users
openvpn2
172.16.21.0 guests
172.16.22.0 admins
172.16.23.0 internet users
openvpn3
172.16.31.0 guests
172.16.32.0 admins
172.16.33.0 internet users
so when i will have some problems i will know directly on which server to search for information or logs
6) i would like to know if is better to have 1-2 servers with more CPU or more servers with single CPU ? Is openvpn to use more CPU simultaneously ?
Thanks for now
soprano