Fixed IP´s for OpenVPN-Clients

[Hummel]

Hello.
I created a fine working Zeroshell-VPN System with X.509 authentication.
Now i want to connect Users with fix IP to the VPN-Network.

I created the Direction “ccd” in the correct path and created a client config document (just how this[/url:1k6j5qru] example explains). After added “–client-config-dir /DB/_DB.002/var/registered/system/openvpn/ccd” to the command line i tested the configuration.

But Zeroshell always assigns IP Adresses from automatic Client ip adress Assignment-Pool. (My Client IP is not in that Pool).

Has anybody tried the same or can help me?

Thanks 🙂

[redfive]

My functioning config. has been done as follows, I create the dir. ccd in /Database/etc ,

mkdir /Database/etc/ccd

then for each user has been created a file , eg. foo

vi  /Database/etc/ccd/foo

that contains

ifconfig-push 192.168.250.10 255.255.255.224

Int this sample, foo is the username , if you use only x509, specify the CN of the client certificate. In command line parameters

--client-config-dir /Database/etc/ccd

you could also add

--ccd-exclusive --remote-cert-eku 'TLS Web Client Authentication'

the first parameter tells to the server accept connections only from clients for which has been created a configuration file in the ccd directory , while the second one accepts connections only clients with certificate with TLS Web Client Authentication as extended key usage , in the client config (the file on the client) also add

remote-cert-eku 'TLS Web Server Authentication'

to avoid the “MITM” warning
greetings

[Hummel]

Hey redfive,
thanks a lot for your answer.

I tried a lot of times to solve the MITM-Warning, but was not able to handle that Problem… 😮

My Question to your configuration is: How do you log in OpenVPN?
I created a Kerberos 5 realm and log in with “user@domain” and password… then I get an ip from the Pool I specified in Zeroshell-Web-Platform.

When I log in with “user” and password, then i get the ip from the user-specific ccd-File.

I don´tknow what the Kerberos realm is for in this situation?

Edit:
I changed the Zeroshell from “X.509 & Password” to “only X.509” – Authentication and everything works fine, fast and without Warning

[Hummel]

i have registered an new Problem…

I can connect the Openvpn as a user and get the fixed user-IP and stay connected. While this I am able to connect the same user from another Pc, and get the same OpenVPN-IP……
How is that possible, or how can i solve this Problem?

I wan t only one Connection per user to be allowed…

[redfive]

I think it makes no sense sharing the same user/pwd or digital certificates , since both should be strictly personals !! Over that , using the static ip address assignement , based on username or certificate and then share these data…
I use this config. for having a control on “authorization network” ( via iptables), foo , with its own ip address while connected via vpn can go there (nas as well as ip-cam), while mickey mouse can’t , he can only access an internal web server…
anyway , to avoid the use at the same time of the same certificate ( i use X509+pwd) , I copied in /Database the file vpn_start , located in the /root/kerbynet.cgi/scripts/ directory , then I have removed the parameter –duplicate-cn , saved and in preboot I’ve added this line
cp -r /Database/vpn_start /root/kerbynet.cgi/scripts/vpn_start
I hope can help
greetings

[Hummel]

Thank you redfive,
but I think you´re right.. the connection data must be strictly personal.
do you know a good Manual for handling iptables? i have no experience with that…

greetings

[Author]

Posts