On Tue, 22 Aug 2023 08:20:24 +0000 (UTC), Jason Long via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>Yes. The file under the CCD directory is exactly as the Common Name of the >client. So if you have set a requirement for the client to have a ccd entry in order to connect and this client has exactly that, of course it will be able to connect! What is the problem? >Yes. Why can the client connect to my OpenVPN server when the IP range is not >correct? Which IP range? Client *connect* is not depending on any specific "IP range". If the client has a valid server IP address in its ovpn files for where the server is listening for connection *and* the client can reach this IP then the server will get the connection information and check the validity. Basically starting the connection process. For example if you require the clients to have ccd entries then if it has a file there and all other checks are also positive to validate the client it will be connected. However, what it can do after it has connected depends on all your *other* config items which you fail to show... And based on all your other posts here you are trying to misuse the OpenVPN server in ways that are non-standard to say the least... Regarding the ccd operations I have 3 classes of VPN clients connecting using *different* *ports* on the server's single IP address. So my server hardware has a single NIC linked to from the Internet via port forwarding on the gateway router. And the OpenVPN server runs several service instances on the different ports. Each port is served by a *different* openvpn server instance defined by its own conf file under /etc/openvpn/server/. These servers use *different* ccd directories like /etc/openvpn/ccd_server1, /etc/openvpn/ccd_server2 and /etc/openvpn/ccd_server3 (obviously my names are not exactly these, but different from each other. AND in each server instance conf file the ccd dir is defined by a line with *the full path* to the dir to use, all different and *unique* to that server instance. Your example shows a single dir name without any path information, which is bad programming IMV. My 3 different classes of clients are: - Full access clients routed to *both* the internal server side LAN and the Internet. These act like they were located on the office LAN. - Local access clients only routed on to the LAN but not back out to the Internet. They use their own Internet gateway for all other access. Used by people needing access to company resources on the LAN but which do not need to go extra steps for Internet access. - Web access clients are only routed back out to the Internet and cannot access the LAN. This is how the commercial VPN services work to circumvent geoblocking. I use this for a few people that need to be located inside our country for some web access and we do not want to use any insecure commercial service for that. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
