In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the "global" options. The client-config-dir option is very useful for this. It allows the administrator to assign a specific IP address to a client, to push specific options such as compression and DNS server to a client, or to temporarily disable a client altogether.
This recipe is a continuation of the previous one. Install OpenVPN 2.1 on two computers. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and the client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the configuration file, basic-udp-server.conf, from the previous recipe at hand, as well as the client configuration file, basic-udp-client.conf, at hand.
- Modify the server configuration file,
basic-udp-server.conf, by adding a line:client-config-dir /etc/openvpn/cookbook/clientsThen save it as
example2-4-server.conf. - Next, create the directory for the
client-configfiles and place a file in there with the name of the client certificate:[root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients [root@server]# cd /etc/openvpn/cookbook/clients [root@server]# echo "ifconfig-push 192.168.200.7 192.168.200.7" \ > openvpnclient1
- This name can be retrieved from the client certificate file using:
[server]$ openssl x509 -subject -noout -in client1.crt subject= /C=NL/O=Cookbook/CN=openvpnclient1/emailAddress=…
- Start the server:
[root@server]# openvpn --config example2-4-server.conf - Start the client using the configuration file from the previous recipe:
[root@client]# openvpn --config basic-udp-client.conf […] [openvpnserver] Peer Connection Initiated with openvpnserver:1194 TUN/TAP device tun0 opened /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 192.168.200.7/24 broadcast 192.168.200.255 Initialization Sequence Completed
When a client connects to the server with its certificate and with the certificate's common name openvpnclient1, the OpenVPN server checks whether there is a corresponding client configuration file (also known as a CCD file) in the client-config-dir directory. If it exists, it is read in as an extra set of options for that particular client. In this recipe, we'll use it to assign a specific IP address to a client (although there are more flexible ways to do that). The client is now always assigned the IP address 192.168.200.7.
If the following conditions are met, then the DEFAULT file is read and processed instead:
- A
client-config-dirdirective is specified - There is no matching client file for the client's certificate in that directory
- A file
DEFAULTdoes exist in that directory
Please note that this name is case sensitive.
Troubleshooting configuration problems with CCD files is a recurring topic on the OpenVPN mailing lists. The most common configuration errors are as follows:
- Always specify the full path in the
client-config-dirdirective - Make sure the directory is accessible and the CCD file is readable to the user which is used to run OpenVPN (
nobodyoropenvpnin most cases) - Make sure that the right filename is used for the CCD file, without any extensions
OpenVPN 2.0 does not support the directive topology subnet. It supports only the net30 mode, where each client is assigned a '/30' mini subnet containing four IP addresses. The syntax of a CCD file in net30 mode is slightly different:
ifconfig-push 192.168.200.34 192.168.200.33
The first address is the client IP address and is at the starting point of the (randomly-chosen) '/30' network 192.168.200.[32-35]. The second address is the address of the fake remote endpoint that is never used.
This also offers a nice way to allow OpenVPN 2.0 clients to connect to a server that is configured to use topology subnet. By creating a CCD file containing the following, an OpenVPN 2.0 client can still connect:
push "route-gateway 192.168.200.33" ifconfig-push 192.168.200.34 192.168.200.33
Note that the route gateway needs to be pushed explicitly as otherwise an attempt is made to use the VPN server IP 192.168.200.1. Also, note that there is no need to do a push "topology net30"' as the OpenVPN 2.0 client does not recognize this directive.
The following configuration options are allowed in a CCD file:
push—for pushing DNS servers, WINS servers, routes, and so onpush-reset—to overrule globalpushoptionsiroute—for routing client subnets to the serverifconfig-push—for assigning a specific IP address as done in this recipedisable—for temporarily disabling a client altogetherconfig—for including another configuration file