Thanks for you answers, As you said we would like to use those different subnet to give different firewall rules.
I just a rapid look at the link you gave me. Why did I need this plugin is because I dont want to have to setup theconfig file off each client before hand. I could use the link you gave me, but to had a new group You will need to edit the client connect script, an same I do not want other people to edit it. While I'm fine with them editing just the config file. Where I work, I created two OpenVPN server, and out Help Desk Team is always adding new user to the VPN, and I do not want them to be allowded to edit my server. I'm still working on the plugin as there is still a lot to do, but I really like the idea of using the organization unit to define the different subnet. 2014-05-05 14:12 GMT+02:00 David Sommerseth <openvpn.l...@topphemmelig.net>: > On 05/05/14 08:02, Marine B wrote: > > Good Morning, > > > > I have made an atempte at creating a new plugin for OpenVPN. My goal was > > to be able to give ip, comming from different subnet , to user from > > different group. Let me explain: > > > > You have two group: > > Group A, where user common name follow the regex ^A* and those people > > need to have an ip in 10.0.0.0/24 <http://10.0.0.0/24> > > Group B, where user common name follow the regex ^B* and those people > > need to have an ip in 10.0.1.0/24 <http://10.0.1.0/24> > > Can you please explain why it's important that these groups have > different IP subnets? > > Because, if it's due to access control and firewalling your VPN clients > (the most common argument for doing this), a dynamic firewall is far > better suitable, IMO. One approach is to use the built-in packet > filter. It's not too easy to work with, but here's a pretty good walk > through of it: > <http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/> > ... Another approach which is much more Linux centric can be found here: > <http://www.eurephia.net/> > > I can see that having your users grouped is nice feature. But I think > that should be implemented in a different layer. Perhaps make use of > X.509 certificate fields (like OU/Organizational Unit). Having a group > variable being passed to plug-ins/script hooks. > > But it all depends on why you need different sub-nets for your user groups. > > > -- > kind regards, > > David Sommerseth > >
