Using client-config-dir files

In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options. The client-config-dir option is very useful for this. It allows the administrator to assign a specific IP address to a client; to push specific options, such as compression and DNS server, to a client; or to temporarily disable a client altogether.

Getting ready

This recipe is a continuation of the previous one. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 20 Linux and OpenVPN 2.3.9. Keep the server configuration file, basic-udp-server.conf, at hand along with the client configuration file, basic-udp-client.conf, from the Server-side routing recipe.

How to do it...

  1. Modify the server configuration file, basic-udp-server.conf, by adding a line:
        client-config-dir /etc/openvpn/cookbook/clients
    

    Then save it as example2-5-server.conf.

  2. Next, create the directory for the client-config files and place a file in there with the name of the client certificate. This file needs to contain a single line with the IP address for the client listed twice:
          [root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients
          [root@server]# cd /etc/openvpn/cookbook/clients
          [root@server]# echo "ifconfig-push 10.200.0.7 10.200.0.7" 
            > client1
    
  3. This name can be retrieved from the client certificate file using the following:
          [server]$ openssl x509 -subject -noout -in client1.crt
    subject= /C=US/O=Cookbook 2.4/CN=client1
    
  4. Start the server:
          [root@server]# openvpn --config example2-5-server.conf
    
  5. Start the client using the configuration file from the previous recipe:
          [root@client]# openvpn --config basic-udp-client.conf
    [...]
    [openvpnserver] Peer Connection Initiated with 
              [AF_INET]openvpnserver:1194
    TUN/TAP device tun0 opened
    do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    /usr/sbin/ip link set dev tun0 up mtu 1500
    /usr/sbin/ip addr add dev tun0 10.200.0.7/24 broadcast 
              10.200.0.255
    Initialization Sequence Completed
    

How it works...

When a client connects to the server with its certificate and with the certificate's common name client1, the OpenVPN server checks whether there is a corresponding client configuration file (also known as a CCD file) in the client-config-dir directory. If it exists, it is read in as an extra set of options for that particular client. In this recipe, we use it to assign a specific IP address to a client (although there are more flexible ways to do that). The client is now always assigned the IP address 10.200.0.7.

The client configuration file contains a single line, ifconfig-push 10.200.0.7 10.200.0.7, which instructs the OpenVPN server to push the client IP address 10.200.0.7 to this particular client. The IP address needs to be listed twice, which is mostly due to the legacy of topology net30 mode.

In this mode, which is still the default in OpenVPN 2.3, a remote endpoint address is always needed and it needs to be within a /30 network range of the client's VPN IP address. In topology subnet mode, it suffices to list the client's VPN IP address twice, or to list the client's VPN IP address followed by a netmask.

There's more...

There are a couple of useful tricks to keep in mind when using client configuration files. Some of these tricks are explained here.

The default configuration file

If the following conditions are met, then the DEFAULT file is read and processed instead:

  • client-config-dir directive is specified
  • There is no matching client file for the client's certificate in that directory
  • A file called DEFAULT does exist in that directory

Please note that this name is case-sensitive.

Troubleshooting

Troubleshooting configuration problems with CCD files is a recurring topic on the OpenVPN mailing lists. The most common configuration errors are as follows:

  • Always specify the full path in the client-config-dir directive
  • Make sure the directory is accessible and the CCD file, is readable to the user which is used to run OpenVPN (nobody or openvpn in most cases)
  • Make sure that the right filename is used for the CCD file, without any extensions

Options allowed in a client-config-dir file

The following configuration options are allowed in a CCD file:

  • push: This option is used for pushing DNS servers, WINS servers, routes, and so on
  • push-reset: This option is used to overrule global push options
  • iroute: This option is used for routing client subnets to the server
  • ifconfig-push: This option is used for assigning a specific IP address, as done in this recipe
  • disable: This option is used for temporarily disabling a client altogether
  • config: This option is used for including another configuration file
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.135.34