OpenVPN Support Forum

Hello, I'm trying to create an openvpn server for several clients (all clients are ubuntu boxes), the thing is that the boxes are gouped by clients and boxes belonging to client A should not be able to ping/reach boxes of client B

so I thought to group clients by common name and assign a different subnet to each common name. I do not know if there is an easier option to achieve the goal, if there are please share it with me, now about the configuration:

I guess I should use TUN, and with a subnet topology, a different one for every common name with a different route? am I on the good way or am I already and completely lost?

the idea is to get for example: subnet 10.7.1.0/24 for client A, subnet 10.7.2.0/24 for client B and so on each on with routes to only reach its own subnet, is it even possible? if you think that there is a simpler solution (ldap or dhcp server) to blind groups of clients from each other I'd be more than eager to listen to your ideas..

cheers

what about creating 3 instanses of openvpn server with different ip ranges..?

listening to different ports though.

Michael

I would need tons of port forwardings, external accesses, firewall rules etc. etc. to do that, no I'd like to have only one openvpn server if possible.. I am sure there must be a way to dhcp with different subnets the clients based on the common name

You can use ccd files to define different IPs from different subnets to clients based on common name, but it will be unusefull, as OpenVPN instance can create only one subnet to work. You will have to rewrite OpenVPN code to create and handle different subnets by the same instance.

For the latest version of V2.5.7 still the same problem? OpenVPN instance can create only one subnet to work???
Thanks.

It's not a problem, it's a design decision. What you are trying to do is not really best practice, so a scenario that is unlikely to be supported.
Why not starting a separate OpenVPN instance for each customer?

If you really want to go down this way...you could have the server configure a /16 network and then allocate each single IP to each client (with different common names). After that you can use some firewall rules to prevent clients from talking to each other (and not use client-to-client).

ordex wrote: ↑

Tue Sep 27, 2022 1:53 pm

Why not starting a separate OpenVPN instance for each customer?

I pity those customers.

Hello wark,

Just pitching in here. If you use OpenVPN Access Server you can set up groups in Access Server. Each group can have its own subnet. The subnets are not able to communicate with eachother. So users in group A cannot ping group B and vice-versa. Such access CAN be set up if you allow group-to-group access, but normally they are isolated. This sounds like what you could use for your scenario.

Access Server by default uses port 1194 UDP and TCP 443 (as a fallback in case the UDP connection cannot be made). You have control over these ports and can set it to use only one port only if you like (a UDP port would then be most sensible).

Kind regards,
Johan