Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restricting specific users to specific OpenVPN instances

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 479 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sparkman123
      last edited by

      I'm having an issue restricting user access to specific instances of OpenVPN.

      In my current setup, I have two instances of OpenVPN running- privileged and unprivileged. I would like to restrict privileged to one instance and unprivileged to another; that is priveleged cannot login as unprivileged and vice versa. Right now though, both users can login to both servers, which is a problem.

      I have tried to implement this partitioning by configuring each OpenVPN server with separate Peer Certificate Authorities and separate Server Certificates. I would have thought this might work, since I have entirely different CAs specified for privileged and unprivileged, but so far, to no avail.

      Any thoughts?

      Also, as an aside, what is the best practices recommendation for muliuser OpenVPN? Should I have multiple instances with different permissions, or one instance with Client Specific Overrides?

      Thank you

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @sparkman123 said in Restricting specific users to specific OpenVPN instances:

        I have tried to implement this partitioning by configuring each OpenVPN server with separate Peer Certificate Authorities and separate Server Certificates. I would have thought this might work, since I have entirely different CAs specified for privileged and unprivileged, but so far, to no avail

        It should work fine this way. I'm running five OpenVPN server wtih five different CAs on one pfSense box and users are able to connect to only one server.
        Create a CA for each server, create the server cert and assign it to the specific server. Create the users certs for the users who should be able to connect that server from the CA which is defined in the servers settings. So only users with a cert from that CA are able to connect.

        @sparkman123 said in Restricting specific users to specific OpenVPN instances:

        Should I have multiple instances with different permissions, or one instance with Client Specific Overrides?

        Both ways a doable and should work for you.

        1 Reply Last reply Reply Quote 0
        • S
          skwaler
          last edited by

          you could use a remote directory, apply different groups to each server

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.