Client Specific Overrides via Cronjob Enable/Disable

FlashBurn · Aug 30, 2024, 10:21 AM

Dear friends of pfsense,

we got an request to disable a single user VPN every day from 6pm to 6am (they will force the user not to remote work after business hours).
Since no other users should be bother with this, we can't disable the whole openVPN Server.

So we had two ideas:
create a new openVPN Server instance and reconfigure the Client VPN
or
use client specific overrides, which had the smallest impact on all users and do not need any remote work on client machine.

We know how to restart/enable/disable openVPN server instances with cronjobs, but we didn't find any solution for a client specific override rule, to disable and enable it from command line.

Is there anyone who has a nice way to solve this?

I am happy to read your ideas.

Greetings

viragomann · Aug 30, 2024, 1:52 PM

@FlashBurn
Create a Client Specific Override for the user, to assign a certain IP to him.

Create a schedule for the time you want permit access (6am to 6pm).

Add to rules on the OpenVPN tab:
A pass rule for the source IP of the client with the schedule selected in the advanced options, followed by a block rule for the clients source IP.

Ensure System > Advanced > Miscellaneous > Do not kill connections when schedule expires is unchecked, which is by default.

FlashBurn · Aug 30, 2024, 1:52 PM

@viragomann
Thank you very much for your great Idea!

I will check this out.
At the moment the Client is not setting the IP from Client Specified Override and we don't know why.
After this weekend it will work, I am sure.

Greetings