Client Specific Overrides

Client specific overrides define custom settings which apply to only certain clients connecting to an SSL/TLS server in client/server mode. These settings are determined by the way a connecting client authenticates, either by their username or the common name of their certificate.

These options are additive, meaning the client will receive the options pushed by the server configuration and then the options defined on this client-specific override entry. Some settings will override the values received from the server, such as the Tunnel Networks, while others will combine and use both server and local values, such as Local Network definitions.

Tip

The “Prevent this client from receiving any server-defined client settings.” option will make the client ignore any pushed settings from the server which are not defined on the override entry.

Client specific overrides are managed at VPN > OpenVPN on the Client Specific Overrides tab.

Purpose

Depending on the use cases, overrides may be a required part of a deployment, such as a site-to-site VPN with multiple clients connecting to a single server.

Overrides also enable special behavior such as configuring different routes for different clients, static IP addresses when connecting to the VPN, exceptions to default VPN behaviors, and many more scenarios.

Configuration

The following settings are available when configuring client specific overrides.

Description:

Text describing the override entry, such as a user or site name, or its purpose.

Disable:

Whether or not this override is enabled. When checked, the override is not active.

Common Name:

The name of the user which OpenVPN will match when a client connects.

When using SSL/TLS authentication alone this matches the common name field of the certificate.

When using user authentication alone, the common name is undefined by default and will not match anything unless the Username as Common Name option is enabled on the OpenVPN server. With that set, this field will match the username.

When SSL/TLS and user authentication are both are active, the behavior is determined by the Username as Common Name option on the OpenVPN server. When checked, it matches the username. When unchecked, it matches the common name of the certificate. If multiple users share the same certificate, check that option.

The special name DEFAULT will trigger if the connecting user does not match any other existing overrides. This can be useful when adding options which are only possible on overrides, such as Connection Blocking.

Connection Blocking:

When set, OpenVPN rejects clients matching this override. This can be used as an additional means of blocking a specific user, though this use case should only be temporary.

Note

Do not use this to permanently block a specific user if their credentials have been compromised or terminated. Instead, use a CRL to revoke the client certificate or make changes to the user account such as removing the account or changing its password.

Some administrators use this option to selectively allow clients on specific servers when they share a common CA structure. The best practice is to use a separate certificate structure for each VPN server, but that is not always possible.

Tip

To only allow users with an override to connect, create an override for the DEFAULT common name with this option set. With that in place, OpenVPN will reject all clients by default and will allow connections from clients matching other overrides which do not have this option set.

Server List:

The OpenVPN servers for which this override will be active. Select one or more OpenVPN instances which will utilize this override. By default, with no entries selected, overrides are active for all servers.

Many use cases may call for using an override with only a specific VPN. For example if a client has a static IP address inside the VPN, that address may only be valid on one VPN server. Attempting to use that static address on a different VPN will fail.

Note

Multiple overrides can use the same common name, but such entries are only useful if they are active on different VPN instances.

IPv4/IPv6 Tunnel Network:

A specific static virtual IPv4 network or network type alias with a single entry used for private communications between this client and the server expressed using CIDR notation (e.g. 10.0.8.5/24).

On a server with subnet topology, or for IPv6, the client IP address and the subnet/prefix mask must match the Tunnel Network on the server.

On a server with net30 topology, OpenVPN assumes the first IPv4 network address of the /30 is the server address and it assigns the second network address to the client.

Note

These options express a preference, not a reservation. OpenVPN dynamically allocates addresses to connecting clients near the start of its tunnel network. An override will not prevent another client from using this address if it happens to be assigned the address dynamically.

IPv4/IPv6 Local Network/s:

Networks located on the server side for which OpenVPN will push routes to this client. This can be a comma-separated list of networks in CIDR notation and it can also be a host or network type alias.

Note

This is functionally identical to the same fields on the OpenVPN server configuration. Values in these fields are added to the lists pushed by the server, so there is no need to duplicate those values here. Only exceptions or differences from the default entries should be in these fields.

IPv4/IPv6 Remote Network/s:

Networks which can be reached through this client. OpenVPN will internally route traffic destined for these networks to this client (iroute).

The remote networks listed in the server configuration inform the operating system routing table to deliver the traffic to OpenVPN, while the entries in an override associate networks with specific remote clients.

Warning

Unlike local networks, entries in the remote network fields must be set in both the OpenVPN server and an override. For full routing functionality to a client network, both the operating system routing table and OpenVPN must know how to reach the network.

Redirect Gateway:

When set, OpenVPN pushes a default gateway to the client so it will send all of its traffic, including Internet traffic, through this VPN.

Server Definitions:

When set, OpenVPN will not push options from the server configuration to this client.

Remove Server Routes:

When set, OpenVPN will not push routes to this client, but it will push other options.

DNS Default Domain:

When set, the GUI presents a field in sets an alternate default DNS search domain which OpenVPN will push to this client.

DNS Servers:

When set, the GUI presents four fields for alternative DNS servers OpenVPN will push to this client.

NTP Servers:

When set, the GUI presents two fields for alternative NTP servers OpenVPN will push to this client.

NetBIOS Options:

When set, the GUI presents fields for alternate NetBIOS options which OpenVPN will push to this client.

Advanced:

Additional custom options for OpenVPN to apply to this client.

Each directive must be separated by a semicolon (;).

See also

These options are described further in Custom Configuration Options.