Using ‘client-confg-dir’ fles
In a setup where a single server can handle many clients, it is sometimes necessary to set
per-client options that overrule the "global" options. The client-config-dir option is very
useful for this. It allows the administrator to assign a specifc IP address to a client, to push
specifc options such as compression and DNS server to a client, or to temporarily disable
a client altogether.
This recipe is a continuation of the previous one. Install OpenVPN 2.1 on two computers.
For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and
the client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the confguration fle,
basic-udp-server.conf, from the previous recipe at hand, as well as the client
confguration fle, basic-udp-client.conf, at hand.
How to do it…
Modify the server confguration fle, basic-udp-server.conf, by adding a line:
Then save it as example2-4-server.conf.
Next, create the directory for the client-config fles and place a fle in there with
the name of the client certifcate:
[root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients [root@server]# cd /etc/openvpn/cookbook/clients [root@server]# echo "ifconfig-push 192.168.200.7 192.168.200.7" \ > openvpnclient1
This name can be retrieved from the client certifcate fle using:
[server]$ openssl x509 -subject -noout -in client1.crt subject= /C=NL/O=Cookbook/CN=openvpnclient1/emailAddress=…
Start the server:
[root@server]# openvpn --config example2-4-server.conf
Start the client using the confguration fle from the previous recipe:
[root@client]# openvpn --config basic-udp-client.conf […] [openvpnserver] Peer Connection Initiated with openvpnserver:1194 TUN/TAP device tun0 opened /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 192.168.200.7/24 broadcast 192.168.200.255 Initialization Sequence Completed
How it works…
When a client connects to the server with its certifcate and with the certifcate’s common
name openvpnclient1, the OpenVPN server checks whether there is a corresponding client
confguration fle (also known as a CCD fle) in the client-config-dir directory. If it exists,
it is read in as an extra set of options for that particular client. In this recipe, we’ll use it to
assign a specifc IP address to a client (although there are more ﬂexible ways to do that). The
client is now always assigned the IP address 192.168.200.7.
Default confguration fle
If the following conditions are met, then the DEFAULT fle is read and processed instead:
- A client-config-dir directive is specifed
- There is no matching client fle for the client’s certifcate in that directory
- A fle DEFAULT does exist in that directory
Please note that this name is case sensitive.
Troubleshooting confguration problems with CCD fles is a recurring topic on the OpenVPN
mailing lists. The most common confguration errors are as follows:
- Always specify the full path in the client-config-dir directive
- Make sure the directory is accessible and the CCD fle is readable to the user which is
used to run OpenVPN (nobody or openvpn in most cases)
- Make sure that the right flename is used for the CCD fle, without any extensions
OpenVPN 2.0 ‘net30’ compatibility
OpenVPN 2.0 does not support the directive topology subnet. It supports only the
net30 mode, where each client is assigned a ‘/30’ mini subnet containing four IP addresses.
The syntax of a CCD fle in net30 mode is slightly different:
ifconfig-push 192.168.200.34 192.168.200.33
The frst address is the client IP address and is at the starting point of the (randomly-chosen)
‘/30’ network 192.168.200.[32-35]. The second address is the address of the fake remote
endpoint that is never used.
This also offers a nice way to allow OpenVPN 2.0 clients to connect to a server that is
confgured to use topology subnet. By creating a CCD fle containing the following,
an OpenVPN 2.0 client can still connect:
push "route-gateway 192.168.200.33" ifconfig-push 192.168.200.34 192.168.200.33
Note that the route gateway needs to be pushed explicitly as otherwise an attempt is
made to use the VPN server IP 192.168.200.1. Also, note that there is no need to do a
push "topology net30"’ as the OpenVPN 2.0 client does not recognize this directive.
Allowed options in a ‘client-confg-dir’ fle
The following confguration options are allowed in a CCD fle:
- push for pushing DNS servers, WINS servers, routes, and so on
- push-reset to overrule global push options
- iroute for routing client subnets to the server
- ifconfig-push for assigning a specifc IP address as done in this recipe
- disable for temporarily disabling a client altogether
- config for including another confguration fle