In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options. The client-config-dir
option is very useful for this. It allows the administrator to assign a specific IP address to a client; to push specific options, such as compression and DNS server, to a client; or to temporarily disable a client altogether.
This recipe is a continuation of the previous one. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 20 Linux and OpenVPN 2.3.9. Keep the server configuration file, basic-udp-server.conf
, at hand along with the client configuration file, basic-udp-client.conf
, from the Server-side routing recipe.
basic-udp-server.conf
, by adding a line: client-config-dir /etc/openvpn/cookbook/clients
Then save it as example2-5-server.conf
.
client-config
files and place a file in there with the name of the client certificate. This file needs to contain a single line with the IP address for the client listed twice:[root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients [root@server]# cd /etc/openvpn/cookbook/clients [root@server]# echo "ifconfig-push 10.200.0.7 10.200.0.7" > client1
[server]$ openssl x509 -subject -noout -in client1.crt subject= /C=US/O=Cookbook 2.4/CN=client1
[root@server]# openvpn --config example2-5-server.conf
[root@client]# openvpn --config basic-udp-client.conf [...] [openvpnserver] Peer Connection Initiated with [AF_INET]openvpnserver:1194 TUN/TAP device tun0 opened do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 /usr/sbin/ip link set dev tun0 up mtu 1500 /usr/sbin/ip addr add dev tun0 10.200.0.7/24 broadcast 10.200.0.255 Initialization Sequence Completed
When a client connects to the server with its certificate and with the certificate's common name client1
, the OpenVPN server checks whether there is a corresponding client configuration file (also known as a CCD file) in the client-config-dir
directory. If it exists, it is read in as an extra set of options for that particular client. In this recipe, we use it to assign a specific IP address to a client (although there are more flexible ways to do that). The client is now always assigned the IP address 10.200.0.7
.
The client configuration file contains a single line, ifconfig-push 10.200.0.7 10.200.0.
7, which instructs the OpenVPN server to push the client IP address 10.200.0.7
to this particular client. The IP address needs to be listed twice, which is mostly due to the legacy of topology net30
mode.
In this mode, which is still the default in OpenVPN 2.3, a remote endpoint address is always needed and it needs to be within a /30 network range of the client's VPN IP address. In topology subnet
mode, it suffices to list the client's VPN IP address twice, or to list the client's VPN IP address followed by a netmask.
There are a couple of useful tricks to keep in mind when using client configuration files. Some of these tricks are explained here.
If the following conditions are met, then the DEFAULT
file is read and processed instead:
client-config-dir
directive is specifiedDEFAULT
does exist in that directoryPlease note that this name is case-sensitive.
Troubleshooting configuration problems with CCD files is a recurring topic on the OpenVPN mailing lists. The most common configuration errors are as follows:
client-config-dir
directivenobody
or openvpn
in most cases)The following configuration options are allowed in a CCD file:
push
: This option is used for pushing DNS servers, WINS servers, routes, and so onpush-reset
: This option is used to overrule global push optionsiroute
: This option is used for routing client subnets to the serverifconfig-push
: This option is used for assigning a specific IP address, as done in this recipedisable
: This option is used for temporarily disabling a client altogetherconfig
: This option is used for including another configuration file3.142.135.34