Using ifconfig-pool in client-config-dir
Posted: Thu Mar 07, 2019 3:36 pm
Hi,
My users connect to the same OpenVPN server and have the same client OpenVPN configuration (authentication through common client cert plus individual login/password through openvpn-plugin-auth-pam.so). I now have to implement access restrictions based on their logins. I've been testing the client-config-dir feature with username-as-common-name and statis IPs as described in https://openvpn.net/community-resources ... s-policies, and this all works very well.
However for hundreds of users the manual assignment of IPs gets very tedious. So I've tried to create a small number of 'access-class' files in the client-config-dir, containing ifconfig-pool settings for the respective subnets. Then I would only have to create appropriate symlinks for my users to those 'access-class' files and wouldn't have to worry about individual IPs any more. Unfortunately OpenVPN doesn't see it that way, and I get this error:
"Options error: option 'ifconfig-pool' cannot be used in this context (/etc/openvpn/ccd/andre.esser)"
Do any of you know whether what I'm trying to do is possible at all?
Many thanks,
Andre
My users connect to the same OpenVPN server and have the same client OpenVPN configuration (authentication through common client cert plus individual login/password through openvpn-plugin-auth-pam.so). I now have to implement access restrictions based on their logins. I've been testing the client-config-dir feature with username-as-common-name and statis IPs as described in https://openvpn.net/community-resources ... s-policies, and this all works very well.
However for hundreds of users the manual assignment of IPs gets very tedious. So I've tried to create a small number of 'access-class' files in the client-config-dir, containing ifconfig-pool settings for the respective subnets. Then I would only have to create appropriate symlinks for my users to those 'access-class' files and wouldn't have to worry about individual IPs any more. Unfortunately OpenVPN doesn't see it that way, and I get this error:
"Options error: option 'ifconfig-pool' cannot be used in this context (/etc/openvpn/ccd/andre.esser)"
Do any of you know whether what I'm trying to do is possible at all?
Many thanks,
Andre