内容纲要

Using ‘client-confg-dir’ fles

In a setup where a single server can handle many clients, it is sometimes necessary to set
per-client options that overrule the "global" options. The client-config-dir option is very
useful for this. It allows the administrator to assign a specifc IP address to a client, to push
specifc options such as compression and DNS server to a client, or to temporarily disable
a client altogether.

Getting ready

This recipe is a continuation of the previous one. Install OpenVPN 2.1 on two computers.
For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and
the client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the confguration fle,
basic-udp-server.conf, from the previous recipe at hand, as well as the client
confguration fle, basic-udp-client.conf, at hand.

How to do it…

  1. Modify the server confguration fle, basic-udp-server.conf, by adding a line:

    client-config-dir /etc/openvpn/cookbook/clients

    Then save it as example2-4-server.conf.

  2. Next, create the directory for the client-config fles and place a fle in there with
    the name of the client certifcate:

    [root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients
    [root@server]# cd /etc/openvpn/cookbook/clients
    [root@server]# echo "ifconfig-push 192.168.200.7 192.168.200.7" \
    > openvpnclient1
  3. This name can be retrieved from the client certifcate fle using:

    [server]$ openssl x509 -subject -noout -in client1.crt
    subject= /C=NL/O=Cookbook/CN=openvpnclient1/emailAddress=…
  4. Start the server:

    [root@server]# openvpn --config example2-4-server.conf
  5. Start the client using the confguration fle from the previous recipe:

    [root@client]# openvpn --config basic-udp-client.conf
    […]
    [openvpnserver] Peer Connection Initiated with
    openvpnserver:1194
    TUN/TAP device tun0 opened
    /sbin/ip link set dev tun0 up mtu 1500
    /sbin/ip addr add dev tun0 192.168.200.7/24 broadcast
    192.168.200.255
    Initialization Sequence Completed

How it works…

When a client connects to the server with its certifcate and with the certifcate’s common
name openvpnclient1, the OpenVPN server checks whether there is a corresponding client
confguration fle (also known as a CCD fle) in the client-config-dir directory. If it exists,
it is read in as an extra set of options for that particular client. In this recipe, we’ll use it to
assign a specifc IP address to a client (although there are more flexible ways to do that). The
client is now always assigned the IP address 192.168.200.7.

There’s more…

Default confguration fle

If the following conditions are met, then the DEFAULT fle is read and processed instead:

  • A client-config-dir directive is specifed
  • There is no matching client fle for the client’s certifcate in that directory
  • A fle DEFAULT does exist in that directory

Please note that this name is case sensitive.

Troubleshooting

Troubleshooting confguration problems with CCD fles is a recurring topic on the OpenVPN
mailing lists. The most common confguration errors are as follows:

  • Always specify the full path in the client-config-dir directive
  • Make sure the directory is accessible and the CCD fle is readable to the user which is
    used to run OpenVPN (nobody or openvpn in most cases)
  • Make sure that the right flename is used for the CCD fle, without any extensions

OpenVPN 2.0 ‘net30’ compatibility

OpenVPN 2.0 does not support the directive topology subnet. It supports only the
net30 mode, where each client is assigned a ‘/30’ mini subnet containing four IP addresses.
The syntax of a CCD fle in net30 mode is slightly different:

ifconfig-push 192.168.200.34 192.168.200.33

The frst address is the client IP address and is at the starting point of the (randomly-chosen)
‘/30’ network 192.168.200.[32-35]. The second address is the address of the fake remote
endpoint that is never used.

This also offers a nice way to allow OpenVPN 2.0 clients to connect to a server that is
confgured to use topology subnet. By creating a CCD fle containing the following,
an OpenVPN 2.0 client can still connect:

push "route-gateway 192.168.200.33"
ifconfig-push 192.168.200.34 192.168.200.33

Note that the route gateway needs to be pushed explicitly as otherwise an attempt is
made to use the VPN server IP 192.168.200.1. Also, note that there is no need to do a
push "topology net30"’ as the OpenVPN 2.0 client does not recognize this directive.

Allowed options in a ‘client-confg-dir’ fle

The following confguration options are allowed in a CCD fle:

  • push for pushing DNS servers, WINS servers, routes, and so on
  • push-reset to overrule global push options
  • iroute for routing client subnets to the server
  • ifconfig-push for assigning a specifc IP address as done in this recipe
  • disable for temporarily disabling a client altogether
  • config for including another confguration fle

发表评论

电子邮件地址不会被公开。 必填项已用*标注