On 11/26/19 5:36 AM, Gert Doering wrote: > Hi, > > On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: >> Is there some way to set up an OpenVPN server with multiple distinct VPN >> segments behind >> a common listening port, such that I can dispatch connections based on which >> CA signed >> the client certificate? > > With intermediate CAs, this might work. With distinct CAs that have > nothing to with each other, not sure how to get the server to trust > all of them. > >> I've trying to avoid having different config-files on the clients if >> possible, >> but having different keys and certificates is fine. > > Your client certificates *could* encode different meaning into the > DN, like > > client-marketing-1234 > client-tech-567 > > and then have the client-connect script shell out client options (IP > addresses, possibly VLANs, ...) according to the "marketing" or "tech" > part.
Yeah--I've actually done some things with client-connect and tls-verify scripts already, e.g. dynamic DNS updates and custom logging of things like certificate-expiries. Can I actually use different *server-side* configuration options like "route" and "ifconfig-pool" for different subsets of clients of a single server instance if feed them into the tempfile from a client-connect script? _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
