Limiting scope of openVPN access

jimp

You can limit that with firewall rules on the OpenVPN tab in 2.0

To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)

Nachtfalke

@jimp:

You can limit that with firewall rules on the OpenVPN tab in 2.0

To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)

How could I assign a Client a static IP.

OpenVPN Server tunnel network ist 10.0.0.0/24
Should I have to enter this network in client specific override, too or is THIS the point where I have to enter 10.0.0.4/30 which means:
netmask: 10.0.0.4
server: 10.0.0.5
client: 10.0.0.6
BC: 10.0.0.7

PS: If I push any routes on OpenVPN Server but not on Client specific overrides, will the client get this routes or not ? What is with other option like domain, ntp. Do I have to configure this twice ?

Thanks for your feedback

jimp

You are safest just to refer to the whole /30 in firewall rules. When you set the IP for the client, you need to use, for example: 10.0.0.4/30 like you had.

The addressing in OpenVPN is covered a bit here:
http://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses%3F

The client will get all settings from the server as usual, just on their static IP. If you want to stop the user from getting the pushed routes and settings, you can check "Prevent this client from receiving any server-defined client settings." on the override.

arstacey

Thanks jimp. Do you see any limits on how many people I can set up this way?  Down the road, we may have as many as 500 users who are on the road, and I want to give each user a vpn that only accesses their own virtual desktop.

jimp

Just use a large enough subnet to accommodate your users * 4. So in your case, ~512*4=2048 IPs, So a /21 or a /20's worth of IPs in any of the private blocks would work.

Nachtfalke

Hi,

I noticed some problems with "Client Specific overrides".

I am using an OpenVPN Server with Tunnel Network 10.0.1.0/24

I tried with Client specific override tunnel network of 10.0.2.120/30

The Client could connect to the server but got no access. Thats ok, because of the wrong subnet.
Ok, I then deleted the complete client specific override for this clien/CN, restarted the OpenVPN Server but the client still got the IP of the 10.0.2.120/30 subnet.

I created again an client specific override for this client/CN and didn't choose any tunnel network (so it used the servers default) and then it conneted fine and got an IP of the 10.0.1.0/24 subnet.

Did I something wrong ?!

jimp

Yes, the static IPs for overrides must be within the tunnel network.

Nachtfalke

@jimp:

Yes, the static IPs for overrides must be within the tunnel network.

Yes, I wrote that in my previous post I think.

What I want so say is:

If I create an override for a client the override is working.
If I delete the override completely, than the override still exists.

jimp

You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

Nachtfalke

@jimp:

You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

Thanks. Good to know that but I restarted the OpenVPN Server after I did any changes.

–-- EDIT ----

I tested it again:

Restarting OpenVPN Server
OpenVPN-Server Tunnel Network is: 10.0.1.0/24
Client Specific Override Tunnel Network: 10.0.1.180/30
Restarting OpenVPN Server
Connecting Client
This is working. Clients IP is after connecting to the server: 10.0.1.181/30
Disconnecting client
Deleting Client specific override
Restarting server
Connecting Client
This is working. Client IP is still 10.0.1.181/30

I attached some screenshots.

jimp

Does the file for that cn still exist in /var/etc/openvpn-csc?

Nachtfalke

Yes ist does exist:

ifconfig-push 10.0.1.181 10.0.1.182

jimp

I just pushed a fix, should be in new snaps soon

Nachtfalke

Hi,
it is working now for me now as expected.
I am using 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011

Thanks jimp!