OpenVPN server employees and customers config on the same instance and server?

Solution 1:

Using the same CN for everybody defeats strenghts of OpenVPN. It is generally intended to be used with a unique client certificate/key for each connection. I don't get why they ever still support this "single certificate" mode, because generating certificates is cheap and easy and this way you get better security and control. I never use this duplicate-cn, so I don't ever know how to differentiate them in this case. If you are ready to rethink your approach to the OpenVPN, please read further.

As of original question, there could be at least two solutions.

A CCD directory is indexed by the certificate CN. You can set a "static" IP address for each client by adding a clause push "ifconfig <local-ip> <remote-ip>" into it's CCD file. This way you will know in advance who gets which VPN IP address, so you can build firewall rules ahead of time. It is wise to collect all similar-purpose addresses into some "pools" which are split at subnet boundary, so you'll have much less firewall rules. For example, if you use 192.168.128.0/24 block for the VPN, you will generally use 192.168.128.0/30 block for the server, so dedicate 192.168.128.4÷124/30 blocks for your employees and the rest, 192.168.128.128÷252/30 for customers. This way you'll be able to define unique addresses for 31 employee and 32 customers, then you add two firewall rules for 192.168.128.0/25 block where all employees live and for 192.168.128.128/25 where all customers live. Please note I assume net30 topology mode here, it's easy to adjust this approach for other topology.

Another way, probably more flexible, it to use OpenVPN scripting ability. It can run user-defined scripts on some events. It passes some information about the connection to the called script. That certainly includes certificate's CN and other DN fields, which can be used in the script to differentiate clients. Read man openvpn for more. You can use client-connect and client-disconnect hooks, which could install and remove firewall rules dynamically. In Linux best way is to define some IP sets and install rules which use these sets beforehand, and then let OpenVPN scripts to add and remove client IP address to appropriate set on connect or disconnect event.