In this recipe, we will use an ifconfig-pool
block to separate regular VPN clients from administrative VPN clients. This makes it easier to set up different firewall rules for administrative users.
This recipe uses the PKI files created in the first recipe of this chapter. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the regular VPN client was running Windows 7 64 bit and OpenVPN 2.3.11 and was assigned to the 192.168.200.0
network. The VPN client Admin was running Fedora 20 Linux and OpenVPN 2.3.9 and was on the 192.168.202.0
network. Keep the client configuration file, basic-udp-client.conf
, from the Server-side routing recipe at hand.
We use the following network layout:
proto udp port 1194 dev tun mode server ifconfig 192.168.200.1 255.255.255.0 ifconfig-pool 192.168.200.100 192.168.200.120 route 192.168.200.0 255.255.248.0 192.168.200.1 push "route 192.168.200.1" push "route 192.168.200.0 255.255.248.0" ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/server.crt key /etc/openvpn/cookbook/server.key dh /etc/openvpn/cookbook/dh2048.pem tls-auth /etc/openvpn/cookbook/ta.key 0 persist-key persist-tun keepalive 10 60 topology subnet push "topology subnet" user nobody group nobody # use "group nogroup" on some distros daemon log-append /var/log/openvpn.log client-config-dir /etc/openvpn/cookbook/clients
Then save it as example2-9-server.conf
.
[root@server]# openvpn --config example2-9-server.conf
[root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients [root@server]# cd /etc/openvpn/cookbook/clients [root@server]# echo "ifconfig-push 192.168.202.6 192.168.202.6" > client1
Note that the client VPN address is listed twice. This is not a typo; for more details on this, refer to the previous recipe.
clients
directory needs to be world-readable, as the OpenVPN server process will run as user nobody
after starting up.[root@AdminClient]# openvpn --config basic-udp-client.conf [...] [openvpnserver] Peer Connection Initiated with openvpnserver:1194 TUN/TAP device tun0 opened do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 /usr/sbin/ip link set dev tun0 up mtu 1500 /usr/sbin/ip addr add dev tun0 192.168.202.6/24 broadcast 192.168.200.255 Initialization Sequence Completed
The IP address that is assigned to the administrative client is highlighted for clarity.
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca "c:/program files/openvpn/config/ca.crt" cert "c:/program files/openvpn/config/client2.crt" key "c:/program files/openvpn/config/client2.key" tls-auth "c:/program files/openvpn/config/ta.key" 1 remote-cert-tls server
basic-udp-client.ovpn
.ca.crt
, client2.crt
, and client2.key
files along with the tls-auth
secret key file, ta.key
, to the Windows machine using a secure channel, such as winscp
or the PuTTY pscp
command-line tool.[AdminClient]$ ping 192.168.200.1 [AdminClient]$ ping 192.168.200.102
[WinClient]C:> ping 192.168.200.1 [WinClient]C:> ping 192.168.202.6
A server configuration file normally uses the following directive to configure a range of IP addresses for the clients:
server 192.168.200.0 255.255.255.0
This directive is internally expanded to the following:
mode server tls-server ifconfig 192.168.200.1 192.168.200.2 ifconfig-pool 192.168.200.4 192.168.200.251 route 192.168.200.0 255.255.255.0 push "route 192.168.200.1" if (topology==subnet) push "topology subnet"
So, by not using the server
directive, but by specifying our own ifconfig-pool
range, we can override this behavior. We then use a CCD file to assign an IP address to the administrative client, which falls outside of the ifconfig-pool
range. By using the appropriate route
and push "route"
statements, we ensure that all clients are able to ping each other.
Note that we also need to explicitly push the topology in this case, as this is no longer done automatically by the server
directive.
There are many details to consider when setting up the default configuration files.
The OpenVPN GUI application on Windows always starts in the directory:
C:Program FilesOpenVPNconfig
Or, C:Program Files(x86)..
. when using the 32-bit version of OpenVPN on 64-bit versions of Windows. Thus, the directory paths in the basic-udp-client.ovpn
configuration file can be omitted:
ca ca.crt cert client2.crt key client2.key tls-auth ta.key 1
With this setup, the VPN clients can connect to each other even though we did not make use of the following directive in the server-side configuration:
client-to-client
This is possible due to the route
and push "route"
statements in the server configuration file. The advantage of not using client-to-client
is that it is still possible to filter out unwanted traffic using iptables
or another firewalling solution.
If there is no need for the administrative clients to connect to the regular VPN clients (or vice versa), then the netmask can be adjusted to:
route 192.168.200.0 255.255.255.0 push "route 192.168.200.0 255.255.255.0"
Now, the networks are completely separated.
18.218.55.223