Restrict access for certain VPN users?

NogBadTheBad

Look at freeradius to hand out fixed ip addresses, you can then have firewall rules based on ip addresses.

There is quite a bit more work to enable this.

https://forum.netgate.com/topic/115795/guide-ikev2-ipsec-per-user-firewall-rule-settings-with-freeradius

luas

Okay, so with default IPSec, there's no chance to hand out fixed IP addresses and therefore no possibility to attach specific access rights?
I'll probably stick to the simple enable-on-request solution then. Thanks!

Konstanti

@luas
There is such an opportunity for Road Warriors
What authentication method is used ?

0_1546963580627_09aec13b-0f35-43be-9814-d07c7cf05d0f-image.png

luas

We authenticate via Active Directory. "Pre-Shared Keys" as in your screenshot is empty in our pfsense config.

Konstanti

@luas

It doesn't matter
You can fill in this field with any characters, as long as the user ID matches
This creates a config for the user "engineer" and assigns the required ip address

Konstanti

@luas For example
I have authorization configured on the certificates
0_1546964423915_0be787be-f9f2-421d-80ba-b48a9386c085-image.png

luas

@Konstanti Thanks!
I tried this, but with no luck.
I used "username" or "username@domain.local" as Identifier, entered a Pre-Shared-Key and a specific IP-Adress with mask /32.
But I will still get an address from the default pool.

I also tried to configure a unique PSK for the engineer in the given dialog, but then the tunnel won't come up at all.

Any other idea?

Konstanti

@luas Hey
Show me how you filled in these fields
0_1547071305348_e2625573-653b-457c-8e12-d5d9967a27d2-image.png

And what is the ID of the engineer ?

luas

Konstanti

@luas Hey
If the problem is still relevant, I think I know how to solve it

luas

@konstanti Yes, I'm still interested!

Konstanti

@luas
t's easy , but you need to work with your hands a little .

create a file on the firewall , for example, /usr/local/tmp/ip.sh
make it executable, chmod +x ip.sh)
Write on there such the text

0_1547906340263_d3c90542-b90c-4b2b-9038-8372cf693592-image.png

Save

/diagnostics/edit file/ etc/inc/vpn.inc
Find here is such a string
if (isset($ph1ent['mobile')])) {
Adding here is such the text
$ipsecfin .="\tleftupdown=sh /usr/local/tmp/ip.sh\n";

Save

vpn/ipsec/ mobile client /phase 1/ not to change anything . Click Save, exit
/diagnostics/edit file /var/etc/ipsec.ipsec.conf

Make sure that everything is correct

As a result at us at an input of the user "konstanti" the script which gives it the rights of connection only to a host 192.168.15.6 works , other traffic is blocked. No matter what virtual ip it gets.
Other users work without restrictions

0_1547907688038_4218d0ba-b37f-4782-9200-b243adeb17e7-image.png

0_1547908146671_d0a1143a-e8ce-49cb-a2a9-c927664d6387-image.png

In your case , we change the username to "engineer ID" and adjust the rules so that it has limited access.
This can be done for any user
The only caveat that we need to know .
With every system update , the file vpn.inc will be overwritten and changes will need to be made again

NogBadTheBad

Or you could just use FreeRadius like I suggested and not have to mess about with text files.