VPN Access Restrict & Not Restricting

[jslh]

Hi,

Someone would like to run OpenVPN on his premises and requested to do the following.

1. HQ OepnVPN (Fixed Public IP);
2. Branch (Fixed Public IP) with OpenVPN client on workstations;
3. HQ Firewall rule to accept VPN connection from the branch’s IP only.

Not a big deal.

However, the problem started when the bosses wishes to access the HQ’s VPN Server from their home (Dynamic IP) as well.

We are not sure how to accomplish this request. On one hand, they wanted to restrict the staff to only be access via the branch, on the other hand, the bosses wanted to access the VPN from their home!

Please help!

Best Regards / Joseph

[janjust]

you could use a 'client-connect' script on the server to distinguish between "workerbee.crt" and "boss.crt" and allow access based on the certificate

[jslh]

Hi janjust,

Thanks for the reply and it is pleased to learn that there is a way to accomplish it.

However, I am quite new to this OpenVPN, will you be kind to point me to those related links and or materials on how could I do it via "client-connect" script to distinguish between the "workerbee.crt" and "boss.crt"?

Really appreciate you kind assistant.

Best regards / Joseph

[janjust]

I'd start with a simple 'client-connect' script which does little more than

Code: Select all

#!/bin/bash
echo "[$@]"
env

add this to your (unix/linux based) server config

Code: Select all

script-security 2
client-connect <full-path-to-up-script>

and then connect a "workerbee.crt" machine and a "boss.crt" machine. Check the environment variables $common_name and env vars starting with $untrusted ; from those you can make a match between "workerbee.crt" (only allowed from $untrusted_remote_ip = "...."0 and "boss.crt" (allowed from all $untrusted_remote_ip).

[jslh]

Hi janjust,

Thz. Will look into it.

Regards / Joseph