vpn server with different subnets for different common names

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ghilteras
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 16, 2012 2:31 pm

vpn server with different subnets for different common names

Post by ghilteras » Mon Jan 16, 2012 2:34 pm

Hello, I'm trying to create an openvpn server for several clients (all clients are ubuntu boxes), the thing is that the boxes are gouped by clients and boxes belonging to client A should not be able to ping/reach boxes of client B

so I thought to group clients by common name and assign a different subnet to each common name. I do not know if there is an easier option to achieve the goal, if there are please share it with me, now about the configuration:

I guess I should use TUN, and with a subnet topology, a different one for every common name with a different route? am I on the good way or am I already and completely lost?

the idea is to get for example: subnet 10.7.1.0/24 for client A, subnet 10.7.2.0/24 for client B and so on each on with routes to only reach its own subnet, is it even possible? if you think that there is a simpler solution (ldap or dhcp server) to blind groups of clients from each other I'd be more than eager to listen to your ideas..

cheers

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: vpn server with different subnets for different common n

Post by maikcat » Mon Jan 16, 2012 2:48 pm

what about creating 3 instanses of openvpn server with different ip ranges..?

listening to different ports though.

Michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

ghilteras
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 16, 2012 2:31 pm

Re: vpn server with different subnets for different common n

Post by ghilteras » Mon Jan 16, 2012 3:13 pm

I would need tons of port forwardings, external accesses, firewall rules etc. etc. to do that, no I'd like to have only one openvpn server if possible.. I am sure there must be a way to dhcp with different subnets the clients based on the common name

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: vpn server with different subnets for different common n

Post by Mimiko » Sat Feb 11, 2012 7:45 pm

You can use ccd files to define different IPs from different subnets to clients based on common name, but it will be unusefull, as OpenVPN instance can create only one subnet to work. You will have to rewrite OpenVPN code to create and handle different subnets by the same instance.

wark
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 27, 2022 7:19 am

Re: vpn server with different subnets for different common names

Post by wark » Tue Sep 27, 2022 7:34 am

For the latest version of V2.5.7 still the same problem? OpenVPN instance can create only one subnet to work???
Thanks.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: vpn server with different subnets for different common names

Post by ordex » Tue Sep 27, 2022 1:53 pm

It's not a problem, it's a design decision. What you are trying to do is not really best practice, so a scenario that is unlikely to be supported.
Why not starting a separate OpenVPN instance for each customer?

If you really want to go down this way...you could have the server configure a /16 network and then allocate each single IP to each client (with different common names). After that you can use some firewall rules to prevent clients from talking to each other (and not use client-to-client).

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: vpn server with different subnets for different common names

Post by TinCanTech » Tue Sep 27, 2022 6:36 pm

ordex wrote:
Tue Sep 27, 2022 1:53 pm
Why not starting a separate OpenVPN instance for each customer?
I pity those customers.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: vpn server with different subnets for different common names

Post by openvpn_inc » Wed Oct 05, 2022 11:58 am

Hello wark,

Just pitching in here. If you use OpenVPN Access Server you can set up groups in Access Server. Each group can have its own subnet. The subnets are not able to communicate with eachother. So users in group A cannot ping group B and vice-versa. Such access CAN be set up if you allow group-to-group access, but normally they are isolated. This sounds like what you could use for your scenario.

Access Server by default uses port 1194 UDP and TCP 443 (as a fallback in case the UDP connection cannot be made). You have control over these ports and can set it to use only one port only if you like (a UDP port would then be most sensible).

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply