Openvpn and firewall for user
-
Hello everybody,
I am new and would like to understand how the firewall works in Openvpn.I configured Openvpn created the users and everything works fine.
I would like to know if it is possible to allow a user to access only and exclusively to some servers and not to all.
my Pfsense firewall protects twenty servers, users who connect in VPN need to reach only three of these servers, is it possible to set this feature?Thanks
-
Yes edit your vpn rules to only allow access to the IPs you want.
-
thanks for you replay, but i not see the source.
In the source i not see the uservpn
thanks -
Look on your vpn interface!!
-
the source not the uservpn?
-
Source would be ANY!!! allow access to what you want in dest.. why would you think there should be a user vpn as source? Anything connect to your vpn would be vpn users ;)
-
thanks for you replay
i have five vpn users
- user01 can connect to all servers
- user02 can only be connected to the webserver for maintenance
- user03 can only connect to the mail server and the management server
- user04 can be connected to the management system and to the mail server
how can I do?
-
Create client overrides for those clients so they get specific IP, then put that in the firewall rules..
-
@johnpoz said in Openvpn and firewall for user:
Create client overrides for those clients so they get specific IP, then put that in the firewall rules..
Create client overrides for those clients so they get specific IP, then put that in the firewall rules..????
please help me
thanks -
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-single-multi-purpose-openvpn-instance.html#openvpn-client-specific-overrides
Curious question for you... So these users, when they are in the office can they only talk to servers X or Y... Or do they have access to all.. Or are these users never in the office.. I am curious because if you don't not limit them while in the office, why would you limit them while remote..
-
I thank you for your kind reply,
I'll explain, ten server pfsense on which there are different software from different vendors.
my purpose is to allow the engine 01 to access only its server, while the engine 02 can only access its server for assistance and maintenance.
Then there are admin users who can log in to all the servers in the farm
ok?I am pleased to tell you that I have not understood how Create client overrides for those clients
thanks -
An override for specific vpn user... Here my worklaptop always gets this IP for example..
-
Hi, thanks it works.
I have only one problem if in the openvpn firewall rules I want to target two or more IPs it is not possible, I should make two different rules.Quite right?
thanks
-
Huh? Yes you would need to assign IPs to your different vpn clients. You can either do multiple rules or use an alias to have multiple IPs in your rules..