Configuring separate IP and firewall rule for each openvpn client

From Notes_Wiki
Revision as of 11:32, 8 April 2014 by Saurabh (talk | contribs)

<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>

Configuring separate IP and firewall rule for each openvpn client

If VPN server is configured as explained at Configure new openvpn server for remote-access with NAT then every client will get IPs in the server range (10.10.0.0/16) randomly. It will not be possible to trace individual users using IPs or configure different firewall rules for each of them. Thus openvpn has option of client configuration directory (ccd) using which specific clients which use specific certificates can be treated differently.

To use ccd feature modify server.conf as follows:

  1. Choose a new IP range for VPN clients which should have special settings. (For example 10.11.0.0/16)
  2. Add or uncomment line 'client-config-dir ccd'
  3. Make sure VPN clients in new network (eg 10.11.0.0/16) are reachable using VPN using 'route 10.11.0.0 255.255.0.0 vpn_gateway'
  4. Create '/etc/openvpn/ccd' folder for client specific configuration files.
  5. Create '/etc/openvpn/ccd/<certificate>' file to put configuration lines for client connecting using given certificate name. For example for saurabh@sbarjatiya.com certificates create file '/etc/openvpn/ccd/saurabh@sbarjatiya.com'
  6. In '/etc/openvpn/ccd/<certificate>' file put specific IP addressing line for each client such as:
    ifconfig-push 10.11.1.1 10.11.1.2
    These would ensure that client with given certificate names gets IP 10.11.1.1 and server gets corresponding VPN tunnel IP 10.11.1.2


Add supporting for networks behind particular VPN client

If routing to network behind VPN client is desired then add something similar to following to client specific configuration file:

iroute 10.100.0.0 255.255.0.0

where 10.100.0.0/16 should be replaced with network behind specific client. Also a corresponding route must be added to OS routing tables using:

route 10.100.0.0 255.255.0.0

option in server.conf file.


This would only allow connection from site to network behind client and vice-versa. This will not allow other VPN users to connect to network behind this specific client. If that is also desired then in server.conf add:

push "route 10.100.0.0 255.255.0.0"

so that clients which connect to VPN also learn about this network to be accessible over VPN.



<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>