Ahoj,
provozuji dva OpenVPN servery, overovani pres Radius do LDAP + certifikaty, samozrejme vcetne check CRL. Pool mam rozdeleny na dve pulky, prvni je dhcp, druha staticky z CCD. Perfektne funkcni na klientech pod Android, Ubuntu, XP a 7. Presel jsem na Ovpn namisto cisco reseni.
Prikladam funkcni konfiguraci, snad ti navod pomuze. Nepotrebne direktivy z configu odstran, IP rozsahy si samozrejme zmen podle sebe.
server:
local 192.168.20.1
port 443
proto tcp-server
dev tun
tun-mtu 1500
ca /etc/openvpn/key/ca.pem
cert /etc/openvpn/key/server.pem
key /etc/openvpn/key/server.key
dh /etc/openvpn/key/dh2048.pem
tls-auth /etc/openvpn/key/ta.key 0
crl-verify /etc/openvpn/key/ca_crl.pem
topology subnet
mode server
tls-server
push "topology subnet"
ifconfig 192.168.1.1 255.255.255.0
ifconfig-pool 192.168.1.2 192.168.1.126 255.255.255.0
push "route-gateway 192.168.1.1"
client-config-dir ccd
push "dhcp-option DNS 192.168.200.1"
push "dhcp-option DNS 192.168.201.10"
keepalive 10 300
cipher BF-CBC
comp-lzo
max-clients 200
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log 10
verb 1
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
script-security 2
auth-user-pass-optional
no-name-remapping
CCD - IP staticky podle jmena uzivatele. Zde je mozne pushovat i dalsi user zalezitosti jako jsou routy apod.:
ifconfig-push 192.168.1.131 255.255.255.0
ifconfig-push 192.168.1.132 255.255.255.0
atd.
Pool je treba pridelovat takto - pro widle po 4 IP, pro vsechny ostatni systemy po 1 adrese. Plati to jen pro staticke pridelovani, pokud by se pouzivalo pouze dynamicke pridelovani, server alokuje dle klienta jednu nebo 4 adresy.
klient:
client
dev tun
tun-mtu 1500
mssfix
float
proto tcp
remote ip_server1
remote ip_server2
nobind
persist-key
persist-tun
pkcs12 user_certifikat.p12
route-method exe
verb 1
mute 20
route-delay 2
comp-lzo
auth-user-pass
tls-auth ta.key 1