Openvpn and firewall for user

johnpoz

Yes edit your vpn rules to only allow access to the IPs you want.

pino121

thanks for you replay, but i not see the source.
In the source i not see the uservpn
thanks

johnpoz

Look on your vpn interface!!

pino121

the source not the uservpn?

johnpoz

Source would be ANY!!! allow access to what you want in dest.. why would you think there should be a user vpn as source? Anything connect to your vpn would be vpn users ;)

pino121

thanks for you replay

i have five vpn users

1. user01 can connect to all servers
2. user02 can only be connected to the webserver for maintenance
3. user03 can only connect to the mail server and the management server
4. user04 can be connected to the management system and to the mail server

how can I do?

johnpoz

Create client overrides for those clients so they get specific IP, then put that in the firewall rules..

pino121

@johnpoz said in Openvpn and firewall for user:

Create client overrides for those clients so they get specific IP, then put that in the firewall rules..

Create client overrides for those clients so they get specific IP, then put that in the firewall rules..????
please help me
thanks

johnpoz

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-single-multi-purpose-openvpn-instance.html#openvpn-client-specific-overrides

Curious question for you... So these users, when they are in the office can they only talk to servers X or Y... Or do they have access to all.. Or are these users never in the office.. I am curious because if you don't not limit them while in the office, why would you limit them while remote..

pino121

I thank you for your kind reply,
I'll explain, ten server pfsense on which there are different software from different vendors.
my purpose is to allow the engine 01 to access only its server, while the engine 02 can only access its server for assistance and maintenance.
Then there are admin users who can log in to all the servers in the farm
ok?

I am pleased to tell you that I have not understood how Create client overrides for those clients
thanks

johnpoz

An override for specific vpn user... Here my worklaptop always gets this IP for example..

pino121

Hi, thanks it works.
I have only one problem if in the openvpn firewall rules I want to target two or more IPs it is not possible, I should make two different rules.

Quite right?

thanks

johnpoz

Huh? Yes you would need to assign IPs to your different vpn clients. You can either do multiple rules or use an alias to have multiple IPs in your rules..