Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN server for dial-in clients…

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sup3rior
      last edited by

      Hi,

      New to this forum, and new to pfSense (been running it for testing for a couple of months)…

      I'm looking into the possibility of using the pfSense as a core firewall and by that follows a role as VPN endpoint for users out of the office. The pfSense will be used in a CARP array the ensure high availability.

      My question goes like this:

      Is it possible to have several rules for different users (when the users public IP is dynamic and could change between connections as they are roaming) and so being able to assign them access to different VLANS? Example, User A needs access to VLAN10, while user B needs access to VLAN11 and they must not be able to access eachothers.

      How would I go about this?

      Regards,
      Anders

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        In OpenVPN you can add a client-specific override so that a user always gets the same IP address. Then you can filter on the OpenVPN tab such that a particular user's IP can only get to certain places. It's been discussed many times around the forum.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          Sup3rior
          last edited by

          Hi,

          Thanks for the suggestion.

          I see I wasn't too clear in my original post :)

          Having a multitude of users connecting from the field, so was hoping that somehow they could be attached to different rulesets… Having looked through the documentation, it would seem that using different OpenVPN ports could be used for differentiating one group of users from the other. When they are in different rulesets, they also use different IP subnets on the remote clients as far as I see, so the firewall could then be used for setting the ACL's.

          Having a feature like Cisco Anyconnect or Microsoft UAG in regards to connecting remote users would be nice though. Just setting up one ruleset, and then granting users access to different parts of the network. I'll consider posting a bounty on such a feature :)

          Regards,
          Anders

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            It sounds like what jimp was suggesting is what you're after. You can group your clients into ranges that make it easy for you to firewall.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              No, his later method is probably best - though when making the separate server setups, make sure they each use a unique CA, otherwise the clients could connect to either server and jump into another subnet.

              (Though I suppose having a unique TLS key alone would be enough, it never hurts to err on the side of caution)

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.