duplicate-cn and client subnet

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
pepposole
OpenVpn Newbie
Posts: 1
Joined: Tue May 17, 2011 10:39 am

duplicate-cn and client subnet

Post by pepposole » Tue May 17, 2011 10:52 am

Hello!

I'm stuck with a configuration doubt.

What i got is:

many linux box with openvpn

server one is configured like this:

dev tun0
mode server
tls-server

# certificate stuff
dh ssl/xxx.pem
ca ssl/xxx.it_cacert.pem
cert ssl/server.xxx.it_cert.pem
key ssl/private/server.xxx.it_key.pem
crl-verify ssl/xxx.it_crl.pem

# allow multi-client with same cn
duplicate-cn

# assigned ip addresses
ifconfig 10.8.0.1 10.8.0.2
route 10.8.0.0 255.255.255.0
push "route 10.8.0.1"
ifconfig-pool 10.8.0.4 10.8.0.254

log /var/log/openvpn.log
keepalive 60 600
daemon


well, it's configured like a DHCP behaviour and every client got the same certificate (duplicate-cn)

every client got two interfaces. One interface connected to internet, used for setup tunnels with main server and a internal interface with an internal subnet (let's say 192.168.1.0 for the first client, 192.168.2.0 for the second and so on...)


Since server can't discriminate which client is connecting, i can't use "client-config-dir ccd" options... so....

i would like to clients communicate the route to server in order to server could reach internal network of every single client...

i need a sort of "reverse push route"

example:

client1 with internal subnet 192.168.1.0, after setting up the tunnel with server and get 10.8.0.13-10.8.0.14 peers, should communicate to server that need to send packets through 10.8.1.14 to reach 192.168.1.0 network


thanks in advance,
Davide

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: duplicate-cn and client subnet

Post by janjust » Tue May 17, 2011 10:56 am

openvpn needs to be able to distinguish the different clients; normally this is done using the client certificate, but you're using 'duplicate-cn'; an alternative is to then use username+password authentication and use '--username-as-common-name' ; if you don't want to use that either then you're out of luck.

Post Reply