OpenVPN Support Forum

Hi,

My users connect to the same OpenVPN server and have the same client OpenVPN configuration (authentication through common client cert plus individual login/password through openvpn-plugin-auth-pam.so). I now have to implement access restrictions based on their logins. I've been testing the client-config-dir feature with username-as-common-name and statis IPs as described in https://openvpn.net/community-resources ... s-policies, and this all works very well.

However for hundreds of users the manual assignment of IPs gets very tedious. So I've tried to create a small number of 'access-class' files in the client-config-dir, containing ifconfig-pool settings for the respective subnets. Then I would only have to create appropriate symlinks for my users to those 'access-class' files and wouldn't have to worry about individual IPs any more. Unfortunately OpenVPN doesn't see it that way, and I get this error:

"Options error: option 'ifconfig-pool' cannot be used in this context (/etc/openvpn/ccd/andre.esser)"

Do any of you know whether what I'm trying to do is possible at all?

Many thanks,

Andre

This certainly is not possible with current openvpn.

You could make a feature request here:
https://community.openvpn.net/openvpn/newticket

Select: Type Feature Wish

Also, I am not confident that the openvpn article you read is accurate, I would need to test it.

Edit: Double checked with the Devs, the article is quirky but will work.

Thank you TinCanTech, created as

https://community.openvpn.net/openvpn/ticket/1173

Andre

Good to know! Thanks for the informations

Just to follow up on this, is it possible to set the DHCP pool from the management interface?
For example using these:
COMMAND -- client-auth (OpenVPN 2.1 or higher)
-----------------------------------------------

Authorize a ">CLIENT:CONNECT" or ">CLIENT:REAUTH" request and specify
"client-connect" configuration directives in a subsequent text block.