Currently our OpenVPN Community Edition server (version 2.3.11 running on RHEL) client config files are stored in /etc/openvpn/ccd. We want to control which network routes each user gets depending on what their job title is. For example developers get AWS routes, which non-developers shouldn't get, but all users need to have file server access. I know routes for all clients can be added to /etc/openvpn/openvpn.conf, but we need to add routes based on job title. Is there a way to control this, perhaps by creating a single file with all AWS routes, which is referenced by each developer's client config (CCD) file? Or is there a way to somehow create a group structure where if you fall into a specific group (ex: developer) you get specific routes? Currently I have to manually edit each user's CCD file to give them the appropriate network access, which is a real pain when you have dozens of users and the routes for each user can change at any time. We have a mixed environment with clients running Windows or macOS, so the ideal solution would be done from the server and not from the client's machine.
Asked
Active
Viewed 79 times
0
KeithJ
- 1
- 1
1 Answers
0
CCD in principle is per CN (Common name / username). What you can do is to create the "role" definition (e.g. _developers, _admins, _sales, _developers-admin,...) and create symbolic link to specific cn...
_admin
_developer-admin
_developers
_sales
user1 -> _admin
user2 -> _developer-admin
user3 -> _developer-admin
user4 -> _developers
user5 -> _developers
user6 -> _sales
This way you can edit "template" instead of each single file per user.
CCD is not firewall !
Please be aware that not pushing the route doesn't mean that that user cannot add it manually on his/her side... In case it would be really separate you should handle it also on firewall level to really limit the access to the users:
- use the persistent IP and next to the pushed route set up the firewall
- utilize route up/down script (which know who and with what IP is /dis-/connecting) to set up individual firewall rules
Kamil J
- 1,632
- 1
- 5
- 10