Specific rules for single User / PC.
-
I didn't understand how to identify the PCs that are connecting to the network with OpenVPN.
Obviously I have to apply specific rules, which differ according to the PC or the connected user. -
@whitetiger-it
In OpenVPN you cannot determine a specific computer, you can only identify users.
They are identified by username or by the common name in the users certificate. If your server uses TLS auth you can specify which one in the server settings at "Username as Common Name".Then you have to add client specific overrides to the users you want to apply particular rule to assign specific IPs to them.
-
@viragomann
But rules are not by user.
In Client Specific Overrides I don't find an option to identify that user/PC so that it can then apply a firewall rule.
Some users are admin and can access all servers in the DMZ. Others just a specific server. -
@whitetiger-it
When you add a CSO you have to state a "Common Name". This has to be equal to the user name or to the common name in the users certificate, depending on the setting in the server settings I mentioned above.With the CSO you assign a specific user a specific IP by setting the "IPv4 Tunnel Network". This IP can be used in firewall rules as source.
This way you can assign you admins for instance the upper half subnet of the tunnel network, e.g. your tunnel is 10.8.0.0/24, in the CSO for admins you set the IPv4 Tunnel Network to 10.8.0.128/25.Another option, I like more, is to set up multiple OpenVPN instances for the different security groups. However, this works only with TLS authentication.
So you can add a CA for each user group, admin and users and set up an admin server which gets his server cert for the admins CA and use the admins CA for user auth. And do the respectively same for the users server. -
@viragomann
I apologize for the delay, but in the meantime I had to solve several problems in managing connections with OpenVPN.
Problems I solved, except one.
Now I am able to connect either with a pfsense user, either using RADIUS, or using RADIUS with TFA.
The only problem that remains open (there is this my answer to your suggestion) is that of the loss of access to the Internet even though I have activated the Redirect Gateway option.Returning to the problem of differentiating with rules the rights of users who access via OpenVPN and to your answer, I still do not understand.
I already have multiple OpenVPN servers, thus differentiating the connections. Each has a different tunnel, but of course the internal networks are always the same two: LAN and DMZ.
In CSO I don't find a way to associate a user with an IP address, but only by assigning another tunnel, different from the one used by other users.
So David and Jenny use 10.101.101.0/24
John, instead, has a CSO to use 10.201.201.1/24
But then he is always assigned to 10.101.101.2, as before. -
@whitetiger-it
The virtual IP of a client which is part of the tunnel network is that what the firewall is seeing as source address. So that is the way to do it.
But there is quite no need a assign an /24 tunnel to 2 clients at all. If you use net30 topology you need 4 IPs (/30) for one client, so for two a /29 subnet is sufficient.
If your server uses subnet topology a single IP is sufficient for each client.John, instead, has a CSO to use 10.201.201.1/24
But then he is always assigned to 10.101.101.2, as before.So obviously the CSO is not applied. If pfSense finds a matching CSO when establishing the connection a log line is written. If not the client gets an IP out of the servers tunnel pool.
I mentioned above what are the requirements for a CSO to get applied.