Hi,
Someone would like to run OpenVPN on his premises and requested to do the following.
1. HQ OepnVPN (Fixed Public IP);
2. Branch (Fixed Public IP) with OpenVPN client on workstations;
3. HQ Firewall rule to accept VPN connection from the branch’s IP only.
Not a big deal.
However, the problem started when the bosses wishes to access the HQ’s VPN Server from their home (Dynamic IP) as well.
We are not sure how to accomplish this request. On one hand, they wanted to restrict the staff to only be access via the branch, on the other hand, the bosses wanted to access the VPN from their home!
Please help!
Best Regards / Joseph
VPN Access Restrict & Not Restricting
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Mar 15, 2011 3:32 am
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: VPN Access Restrict & Not Restricting
you could use a 'client-connect' script on the server to distinguish between "workerbee.crt" and "boss.crt" and allow access based on the certificate
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Mar 15, 2011 3:32 am
Re: VPN Access Restrict & Not Restricting
Hi janjust,
Thanks for the reply and it is pleased to learn that there is a way to accomplish it.
However, I am quite new to this OpenVPN, will you be kind to point me to those related links and or materials on how could I do it via "client-connect" script to distinguish between the "workerbee.crt" and "boss.crt"?
Really appreciate you kind assistant.
Best regards / Joseph
Thanks for the reply and it is pleased to learn that there is a way to accomplish it.
However, I am quite new to this OpenVPN, will you be kind to point me to those related links and or materials on how could I do it via "client-connect" script to distinguish between the "workerbee.crt" and "boss.crt"?
Really appreciate you kind assistant.
Best regards / Joseph
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: VPN Access Restrict & Not Restricting
I'd start with a simple 'client-connect' script which does little more than
add this to your (unix/linux based) server config
and then connect a "workerbee.crt" machine and a "boss.crt" machine. Check the environment variables $common_name and env vars starting with $untrusted ; from those you can make a match between "workerbee.crt" (only allowed from $untrusted_remote_ip = "...."0 and "boss.crt" (allowed from all $untrusted_remote_ip).
Code: Select all
#!/bin/bash
echo "[$@]"
env
Code: Select all
script-security 2
client-connect <full-path-to-up-script>
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Mar 15, 2011 3:32 am
Re: VPN Access Restrict & Not Restricting
Hi janjust,
Thz. Will look into it.
Regards / Joseph
Thz. Will look into it.
Regards / Joseph