On 05/05/14 08:02, Marine B wrote: > Good Morning, > > I have made an atempte at creating a new plugin for OpenVPN. My goal was > to be able to give ip, comming from different subnet , to user from > different group. Let me explain: > > You have two group: > Group A, where user common name follow the regex ^A* and those people > need to have an ip in 10.0.0.0/24 <http://10.0.0.0/24> > Group B, where user common name follow the regex ^B* and those people > need to have an ip in 10.0.1.0/24 <http://10.0.1.0/24>
Can you please explain why it's important that these groups have different IP subnets? Because, if it's due to access control and firewalling your VPN clients (the most common argument for doing this), a dynamic firewall is far better suitable, IMO. One approach is to use the built-in packet filter. It's not too easy to work with, but here's a pretty good walk through of it: <http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/> ... Another approach which is much more Linux centric can be found here: <http://www.eurephia.net/> I can see that having your users grouped is nice feature. But I think that should be implemented in a different layer. Perhaps make use of X.509 certificate fields (like OU/Organizational Unit). Having a group variable being passed to plug-ins/script hooks. But it all depends on why you need different sub-nets for your user groups. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
