OpenVPN server for dial-in clients…
-
Hi,
New to this forum, and new to pfSense (been running it for testing for a couple of months)…
I'm looking into the possibility of using the pfSense as a core firewall and by that follows a role as VPN endpoint for users out of the office. The pfSense will be used in a CARP array the ensure high availability.
My question goes like this:
Is it possible to have several rules for different users (when the users public IP is dynamic and could change between connections as they are roaming) and so being able to assign them access to different VLANS? Example, User A needs access to VLAN10, while user B needs access to VLAN11 and they must not be able to access eachothers.
How would I go about this?
Regards,
Anders -
In OpenVPN you can add a client-specific override so that a user always gets the same IP address. Then you can filter on the OpenVPN tab such that a particular user's IP can only get to certain places. It's been discussed many times around the forum.
-
Hi,
Thanks for the suggestion.
I see I wasn't too clear in my original post :)
Having a multitude of users connecting from the field, so was hoping that somehow they could be attached to different rulesets… Having looked through the documentation, it would seem that using different OpenVPN ports could be used for differentiating one group of users from the other. When they are in different rulesets, they also use different IP subnets on the remote clients as far as I see, so the firewall could then be used for setting the ACL's.
Having a feature like Cisco Anyconnect or Microsoft UAG in regards to connecting remote users would be nice though. Just setting up one ruleset, and then granting users access to different parts of the network. I'll consider posting a bounty on such a feature :)
Regards,
Anders -
It sounds like what jimp was suggesting is what you're after. You can group your clients into ranges that make it easy for you to firewall.
-
No, his later method is probably best - though when making the separate server setups, make sure they each use a unique CA, otherwise the clients could connect to either server and jump into another subnet.
(Though I suppose having a unique TLS key alone would be enough, it never hurts to err on the side of caution)