I've got a openvpn server and I'm searching a way to permit that a certain certificate is operative only if the connection comes from from a certain ip. Others certificates must have not this limitation because they are for road warriors and we don't know where they can come from.

So the idea is to have an array in a script (we can state some up and down script) or an external file where we have this data:

nameofcertificate:ip or network or range

example

jsmith:1.2.3.4
jsmith:1.2.3.5
jsmith:192.168.1.[10-20]

so Mr Smitch can connect only from these locations.

I state that at the beginning of the connection I've got both the variables, one derived from the common_name and the other from the env and is trusted_ip.

Now I've got to compare the array (or external file) with this variables and if there is a corrispondence permit the connection else not. If a valid certificate is not in the list there is no check on ip.

I am not very skilled for this kind of work, someone can help me? Thanks.