November 7, 2013 at 11:50 am #43776
I created a fine working Zeroshell-VPN System with X.509 authentication.
Now i want to connect Users with fix IP to the VPN-Network.
I created the Direction “ccd” in the correct path and created a client config document (just how this[/url:1k6j5qru] example explains). After added “–client-config-dir /DB/_DB.002/var/registered/system/openvpn/ccd” to the command line i tested the configuration.
But Zeroshell always assigns IP Adresses from automatic Client ip adress Assignment-Pool. (My Client IP is not in that Pool).
Has anybody tried the same or can help me?
Thanks 🙂November 7, 2013 at 6:26 pm #53000
My functioning config. has been done as follows, I create the dir. ccd in /Database/etc ,
then for each user has been created a file , eg. foo
ifconfig-push 192.168.250.10 255.255.255.224
Int this sample, foo is the username , if you use only x509, specify the CN of the client certificate. In command line parameters
you could also add
--ccd-exclusive --remote-cert-eku 'TLS Web Client Authentication'
the first parameter tells to the server accept connections only from clients for which has been created a configuration file in the ccd directory , while the second one accepts connections only clients with certificate with TLS Web Client Authentication as extended key usage , in the client config (the file on the client) also add
remote-cert-eku 'TLS Web Server Authentication'
to avoid the “MITM” warning
greetingsNovember 8, 2013 at 9:30 am #53001
thanks a lot for your answer.
I tried a lot of times to solve the MITM-Warning, but was not able to handle that Problem… 😮
My Question to your configuration is: How do you log in OpenVPN?
I created a Kerberos 5 realm and log in with “user@domain” and password… then I get an ip from the Pool I specified in Zeroshell-Web-Platform.
When I log in with “user” and password, then i get the ip from the user-specific ccd-File.
I don´tknow what the Kerberos realm is for in this situation?
I changed the Zeroshell from “X.509 & Password” to “only X.509” – Authentication and everything works fine, fast and without WarningNovember 8, 2013 at 12:12 pm #53002
i have registered an new Problem…
I can connect the Openvpn as a user and get the fixed user-IP and stay connected. While this I am able to connect the same user from another Pc, and get the same OpenVPN-IP……
How is that possible, or how can i solve this Problem?
I wan t only one Connection per user to be allowed…November 8, 2013 at 5:58 pm #53003
I think it makes no sense sharing the same user/pwd or digital certificates , since both should be strictly personals !! Over that , using the static ip address assignement , based on username or certificate and then share these data…
I use this config. for having a control on “authorization network” ( via iptables), foo , with its own ip address while connected via vpn can go there (nas as well as ip-cam), while mickey mouse can’t , he can only access an internal web server…
anyway , to avoid the use at the same time of the same certificate ( i use X509+pwd) , I copied in /Database the file vpn_start , located in the /root/kerbynet.cgi/scripts/ directory , then I have removed the parameter –duplicate-cn , saved and in preboot I’ve added this line
cp -r /Database/vpn_start /root/kerbynet.cgi/scripts/vpn_start
I hope can help
greetingsNovember 12, 2013 at 1:24 pm #53004
Thank you redfive,
but I think you´re right.. the connection data must be strictly personal.
do you know a good Manual for handling iptables? i have no experience with that…
You must be logged in to reply to this topic.