Nikolaos Milas wrote: > I like your suggestion. (By the way, how did you get the output of the env > variables you listed?) I used a very simple shell script for this #!/bin/bash env | sort
and added script-security 2 client-connect dumpenv.sh learn-address dumpenv.sh to the server config. > On 22/9/2015 8:22 μμ, debbie...@gmail.com wrote: > > >> It is *not*$ifconfig_pool_local_ip >> it *is*$ifconfig_pool_remote_ip >> >> and it is avaialble at --client-connet script execute >> > > Ah, yes, I checked again, you are quite right. This is the case. > > Thank you for this correction! > > Any and all additional corrections/suggestions will be welcome. > you actuallly might be able to get away without using a local file: list the current iptables rules and count the number of VPN IP address linked (SNATted) to each external address. Use the external address with the lowest number of VPN IPs assigned to it to SNAT the new client to it. This would actually scale quite nicely with a varying/variable number of external IP addresses. > I would also like to mention that the local_ip to use in the ip tables > statement should not be the $trusted_ip but the $ifconfig_pool_local_ip, > which, however, is not available at client-connect time, so the script > should be run as a learn-address script. Please correct me if I'm wrong, > or suggest otherwise. this depends on your server setup : at client-connect time the $ifconfig_pool_remote_ip is the **suggested** IP for the client - the client-connect script itself may assign a different address, and I am not sure whether a CCD file comes before or after this script. When the learn-address script is run, the client IP is fixed, BUT there's a catch here: the learn-address script is run at three different times: - add : right after the client-connect script - update: whenever the client reconnects without a full re-connect. Occurs quite rarely but is definitely possible - delete: runs right before the client-disconnect script. You should be able to get away with just the 'add' and 'delete' commands (listed in $1) but it is probably best to do nothing when 'update' comes along. HTH, JJK ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
