Re: [Openvpn-users] Split Tunnel on a per client basis

Sun, 22 May 2016 10:43:27 -0700 

Hi,

On Sun, May 22, 2016 at 07:10:43PM +0300, Nikolaos Milas wrote:
> I guess we could put at a proper place adirective of the sort:
> 
>     if $virtual_client_ip ==<affected_ip_address> then
>        do not "push redirect-gateway def1 bypass-dhcp"
>        "push route xxx.xxx.xxx.xxx 255.255.255.0"
>     endif
> 
> Please advise. Thanks in advance.

Indeed you can :-)- that "proper place" would be a --client-connect
script  (or plugin, but script is much easier done) which can look
at the environment variables (for starters, just call "env" in the
script, and send to a log file for debugging - "env >>/tmp/debug.out" -
remove when done) and then decide about things.

The script is passed a file name of a temporary file which is then
parsed by openvpn after script end and can contain config variables
to be applied to that client.

(If you can identify the client not by IP address but by common name,
you can use static files in the --client-config-dir directory, named
after the common name, to add config variables for this particular 
client - no scripting needed, then)


To be able to *remove* stuff from the push list, you can do two things:

 - call --push-reset, which will remove *everything* from the push list,
   and re-build all options except "push redirect-gateway"

or

 - run git master on the server, and use

     push-remove redirect-gateway
     push route xxx.xxx.xxx.xxx 255.255.255.0

push-remove is new stuff, which will selectively remove individual
options that match the parameter given.  Much nicer to work with than
push-reset (and you want git master for the server anyway, so much
nice stuff in there :) )
 
gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to