Client-specific settings (server only)
In a typical remote access VPN setup, the clients are remote users—for example, users trying to access the company private network from home. Therefore, when a client establishes a VPN tunnel with the VPN server, it only needs to ensure that the client host itself can access the private network; so, it can use any tunnel IP address assigned by the server.
However, in some environments, the remote access mode is used to implement site-to-site functionality; that is, each client is in fact a site that establishes, in effect, a site-to-site tunnel with the server. The following figure illustrates this functionality.
In such an environment, it may be useful to give a fixed IP address to each OpenVPN client. Furthermore, in such cases there may be a private network behind a client as well, and the OpenVPN server needs to determine that traffic destined to this private network should be routed to the particular client. Similarly, there may be networks behind the OpenVPN server that the client needs to access. In other words, these client-specific settings are tied to a particular client, and they can be configured by using the options that are shown in the following example and explained after the example.
Configuration options related to remote access mode
interfaces {
openvpn if_name {
server {
client client_name {
ip client_ip
push-route ipv4net
subnet client_subnet
}
}
}
}
- client: This argument is the name for the client; this name corresponds to the common name specified in the certificate of the client. When a client initiates the VPN session, the server uses the name in the certificate to look up and apply client-specific settings (if any).
- ip: This argument is the fixed IP address that is assigned to the particular client.
- push-route: This argument is the network address of a network behind the OpenVPN server to which the client can route traffic. Multiple networks can be specified with multiple push-route configuration statements.
subnet: This argument is the private subnet behind the particular client, and the OpenVPN process routes traffic destined to this subnet to the client. Multiple networks can be specified with multiple subnet configuration statements.
Note that this setting only informs the OpenVPN server to which client the traffic for this subnet should be routed. However, before the OpenVPN server is in a position to make this decision, the traffic must be routed to the tunnel interface, so that it is processed by the OpenVPN server. For this reason, a static interface route must be added separately to direct traffic for this subnet to the tunnel interface.
In the preceding example, the V1 server can be configured with the client settings specific to the V2 client as follows (note that a static interface route is also needed for the subnet of the V2 client).
To configure this scenario, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the vtun0 configuration node. |
|
Enter configuration commands. |
|
Create the server configuration node. |
|
Enter configuration commands. |
|
Create the V2 client configuration node. |
|
Specify the IP address of the client. |
|
Specify the subnet at the server that the client can access. |
|
Set the subnet at the client. |
|
Enter configuration commands. |
|
Commit the change. |
|
Show the OpenVPN configuration. |
|
To configure the static interface route to access the remote subnet through the OpenVPN tunnel, perform the following steps in configuration mode.
Step | Command |
---|---|
Create the static interface route to access the remote subnet through the OpenVPN tunnel. |
|
Commit the change. |
|
Show the static routing configuration. |
|