Fixed IP´s for OpenVPN-Clients

Home Page Forums Network Management VPN Fixed IP´s for OpenVPN-Clients

This topic contains 4 replies, has 0 voices, and was last updated by  Hummel 6 years, 1 month ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #43776

    Hummel
    Member

    Hello.
    I created a fine working Zeroshell-VPN System with X.509 authentication.
    Now i want to connect Users with fix IP to the VPN-Network.

    I created the Direction “ccd” in the correct path and created a client config document (just how this[/url:1k6j5qru] example explains). After added “–client-config-dir /DB/_DB.002/var/registered/system/openvpn/ccd” to the command line i tested the configuration.

    But Zeroshell always assigns IP Adresses from automatic Client ip adress Assignment-Pool. (My Client IP is not in that Pool).

    Has anybody tried the same or can help me?

    Thanks 🙂

    #53000

    redfive
    Participant

    My functioning config. has been done as follows, I create the dir. ccd in /Database/etc ,

    mkdir /Database/etc/ccd

    then for each user has been created a file , eg. foo

    vi  /Database/etc/ccd/foo

    that contains

    ifconfig-push 192.168.250.10 255.255.255.224

    Int this sample, foo is the username , if you use only x509, specify the CN of the client certificate. In command line parameters

    --client-config-dir /Database/etc/ccd

    you could also add

    --ccd-exclusive --remote-cert-eku 'TLS Web Client Authentication'

    the first parameter tells to the server accept connections only from clients for which has been created a configuration file in the ccd directory , while the second one accepts connections only clients with certificate with TLS Web Client Authentication as extended key usage , in the client config (the file on the client) also add

    remote-cert-eku 'TLS Web Server Authentication'

    to avoid the “MITM” warning
    greetings

    #53001

    Hummel
    Member

    Hey redfive,
    thanks a lot for your answer.

    I tried a lot of times to solve the MITM-Warning, but was not able to handle that Problem… 😮

    My Question to your configuration is: How do you log in OpenVPN?
    I created a Kerberos 5 realm and log in with “user@domain” and password… then I get an ip from the Pool I specified in Zeroshell-Web-Platform.

    When I log in with “user” and password, then i get the ip from the user-specific ccd-File.

    I don´tknow what the Kerberos realm is for in this situation?

    Edit:
    I changed the Zeroshell from “X.509 & Password” to “only X.509” – Authentication and everything works fine, fast and without Warning

    #53002

    Hummel
    Member

    i have registered an new Problem…

    I can connect the Openvpn as a user and get the fixed user-IP and stay connected. While this I am able to connect the same user from another Pc, and get the same OpenVPN-IP……
    How is that possible, or how can i solve this Problem?

    I wan t only one Connection per user to be allowed…

    #53003

    redfive
    Participant

    I think it makes no sense sharing the same user/pwd or digital certificates , since both should be strictly personals !! Over that , using the static ip address assignement , based on username or certificate and then share these data…
    I use this config. for having a control on “authorization network” ( via iptables), foo , with its own ip address while connected via vpn can go there (nas as well as ip-cam), while mickey mouse can’t , he can only access an internal web server…
    anyway , to avoid the use at the same time of the same certificate ( i use X509+pwd) , I copied in /Database the file vpn_start , located in the /root/kerbynet.cgi/scripts/ directory , then I have removed the parameter –duplicate-cn , saved and in preboot I’ve added this line
    cp -r /Database/vpn_start /root/kerbynet.cgi/scripts/vpn_start
    I hope can help
    greetings

    #53004

    Hummel
    Member

    Thank you redfive,
    but I think you´re right.. the connection data must be strictly personal.
    do you know a good Manual for handling iptables? i have no experience with that…

    greetings

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.