Как сделать привязку IP к сертификату клиента OpenVPN

Для привязки IP к сертификату клиента, необходимо:

• Указать в конфигурации сервера директорию хранения конфигурационных файлов клиента

  # To assign specific IP addresses to specific
  # clients or if a connecting client has a private
  # subnet behind it that should also have VPN access,
  # use the subdirectory "ccd" for client-specific
  # configuration files (see man page for more info).
  
  # EXAMPLE: Suppose the client
  # having the certificate common name "Thelonious"
  # also has a small subnet behind his connecting
  # machine, such as 192.168.40.128/255.255.255.248.
  # First, uncomment out these lines:
  ;client-config-dir ccd
  ;route 192.168.40.128 255.255.255.248
  # Then create a file ccd/Thelonious with this line:
  #   iroute 192.168.40.128 255.255.255.248
  
  # This will allow Thelonious' private subnet to
  # access the VPN.  This example will only work
  # if you are routing, not bridging, i.e. you are
  # using "dev tun" and "server" directives.
  # EXAMPLE: Suppose you want to give
  # Thelonious a fixed VPN IP address of 10.9.0.1.
  # First uncomment out these lines:
  client-config-dir ccd
  

• в директории ccd создать файл с именем указанным в Common Name сертификата

  (Запрос Common Name при создании сертификата)
  Common Name (eg, your name or your server's hostname)
  

• указать в созданном файле конфигурацию в формате ifconfig-push ip-клиента ip-шлюза, ip клиента и шлюза должны соответствовать пулу адресов OpenVPN сети.

  (конфигурация пула адресов OpenVPN сети)
  # Configure server mode and supply a VPN subnet
  # for OpenVPN to draw client addresses from.
  # The server will take 10.8.0.1 for itself,
  # the rest will be made available to clients.
  # Each client will be able to reach the server
  # on 10.8.0.1. Comment this line out if you are
  # ethernet bridging. See the man page for more info.
  server 192.168.1.0 255.255.255.0
  

• из-за разделения OpenVPN сети на подсети из 4-ох адресов: network, IP, gateway, broadcast, ip клиента и шлюза должны быть сконфигурированы в соответствии с указаной ниже таблицей

  [ip клиента, ip шлюза]
  [  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
  [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
  [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
  [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
  [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
  [101,102] [105,106] [109,110] [113,114] [117,118]
  [121,122] [125,126] [129,130] [133,134] [137,138]
  [141,142] [145,146] [149,150] [153,154] [157,158]
  [161,162] [165,166] [169,170] [173,174] [177,178]
  [181,182] [185,186] [189,190] [193,194] [197,198]
  [201,202] [205,206] [209,210] [213,214] [217,218]
  [221,222] [225,226] [229,230] [233,234] [237,238]
  [241,242] [245,246] [249,250] [253,254]
  

  Пример привязки ip 192.168.1.41 к сертификату c CN examplename

  echo 'ifconfig-push 192.168.1.41 192.168.1.42' > /etc/openvpn/ccd/examplename