how do you use OpenVPN for Users But Filter by Group To Go to Specific Ips, Network

comet424

hoping this works.. and not spam

so I not sure if pfsense can do it or if i need a different program and just have pfsense pass the port
so I want
myaddress.whatever as the host and use the 1194 as the OpenVPN

and I made groups but haven't figure out much past creating the group
GAMING (limited to a few IPS on the LAN network) like 192.168.0.10-20
TV (limited to 1 ap address on the LAN Network) like 192.168.0.5
ENTIRE LAN NETWORK (limited to the entire Network on LAN Network like 192.168.0.1-254

so I know I can make 1 user that has admin group and it allows me entire network and vlans

but say if I want
user1, user2, user3 only can be linked to group GAMING so its limited to a few IPS it can access
user4,5,6 can only access TV group so limited to 1 IP a Media Server
user 7,8,9 can access the entire network but just the LAN
and
user 10 be linked to Gaming TV an Entire LAN so it can access all 3 groups... i can make group names and link them to user1 etc., but i can't seem to figure how to make firewall rules per Group or how to link Alias's to a Group

so Alias Gaming be 192.168.0.10-20 but have user1 linked to Gaming Alias... if sounds confusing sorry ahead of time dyslexia. but I try to explain it as simple as i can do

if i explained things too complicated ill try better to re explain
i tried googling for help but i got like traffic shaper and limiting bandwidth per ip but not specific want or
do i have to create multiple OpenVPN servers one for Gaming, TV, Entire Group and you change the Port number for each and you gotta do 3 networks to point to the alias's it not sure and wasn't 100% how to google search what i am looking for even if it has a special name for what i want

stephenw10

There are several ways you could do this.

You could add fixed IPs for each client then add firewall rules to filter those source IPs directly.

You could authenticate against Radius and pass rules per client when they connect:
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/client-parameters-radius.html

But I would probably create multiple servers. It's the easiest to understand logically. You can set rules on each server instance to pass only the traffic your need and also pass only the routes required to each client. You don't need to setup each client individually or manage lists of client IPs in the rules.

jimp

The only way to do that securely is multiple servers, one per "group" based on what they should be able to access. Ideally each with a separate CA and unique TLS key.

Static addresses can work but you also can't necessarily guarantee OpenVPN wouldn't assign an IP address to a client randomly that you have set static -- it doesn't do reservations like that.

Per-user rules from RADIUS could work but it's a lot more complicated to setup and maintain, and harder to troubleshoot.