how do you setup users with restricted access

comet424

here is the rules i set

update..
here is i added blocks for the 10.x 20.x as i havent set them up yet dont have guests or cameras yet.. just future for over winter

akuma1x

@comet424 The firewall rules in pfsense work from the top to the bottom on an interface, the first rule to match wins, no other rules are evaluated.

To setup your block rule for 10.x.20.x, you would simply create a new rule with that as the destination, and either an alias with your source IP addresses, or a specific IP address on that same subnet, or some other network on your pfsense box.

The rule @Gertjan used above blocks all other devices except the 0.10 - 0.15 hosts. Then, after you create this rule, drag it to an appropriate spot in your firewall list and do some testing.

Jeff

Gertjan

I initially thought I understoof your question :

You want your son, when he is connecting from 'some where', using the pfSense OpenVPN, having access to some devices on the LAN - and not to others.
Right?

H'll be using the pfSense OpenVPN server, so the rules I showed should be placed on the OpenVPN interface firewall rule tab.
Because OpenVPN server traffic comes in by this interface.
Not the LAN interface : he isn't connected to the LAN interface.

You put all the IP addresses he is allowed to connect to into an alias
Use this alias in a Pass rule.
Then create a second block rule, that forbids all access to the network (the IP addresses uses in the alias are part of this network).
Put in place a third - pass all rule if you allow that he can visit the Inter through the OpenVPN remote access.

comet424

@akuma1x
ok is this correct then
this is my LAN rules i think i have it set properly then

comet424

@Gertjan ok ill have to re read

what i did was setup 2 OPENVPNs

i already have 1 for myself to give full access
and the 2nd open i made for him and thats LandonsVMS thats linked to the 2nd openvpn thas what i thought you had setup in your example.. so i made 2 openvpn servers

as there was no option in pfsense to allow a user to use the OpenVPN and under restrictions of user to access certain IPS

comet424

ok i renamed my interface so doesnt confuse

what i really wanted was
1 OpenVPN server running
user (me) has full admin access when loggin in
user (landon) has only access to the VMS (for now)

but under users you can create Groups but i tried asking and i tried looking through the settings

to say User Group (LandonsVMS) has access to this range
but when you look under the access they can have its just the pfense pages access control.. not like restricted access

so now i made 2 Open VPNS 1 for my to log in full access and other for his access
if i knew how to make 1 server and then 2 user accounts 1 that has full access and 2nd has just access to the VM Ips

and sorry my dislexia confuses people too i dont explain things right.. yet sounds right to me

Gertjan

@comet424 said in how do you setup users with restricted access:

to say User Group (LandonsVMS) has access to this range
but when you look under the access they can have its just the pfense pages access control.. not like restricted access

The pfSense user access :

determines what users - can access the web GUI of pfSense, and what parts.
It doesn't handle network access.

Your choice to have two OpenVPN servers with dedicated firewall rules seems a good solution to me.

comet424

@Gertjan ah ok to groups is just editing the pfsense.. figured you only want an admin to edit it

so that also means users can log in to either openvpn then with there login pass

i come across another issue with the openvpn to make that 2nd openvpn i did the wizard where you create a new cert new ca i did the 192.168.0.0/24 etc i chose the assignment and gave that openvpnvm link... but when i goto to Export the clients are not shown.. its there for the main one i have for full access

so i get "If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled."

now today first time running 2 openvpn servers and its been a year since i even touched my openvpn server since i set it and forget it.. and dont work with this everyday..

i did the wizard but what could gone wrong.. where would i look what screen shots would you need

comet424

gonna try... delete cas certs openvpn server firewall settings it creates and do a reboot so its clean to see if it fixe's it

when in doubt do a reboot lol

comet424

well that didnt work
deleted all saved rebooted.
then ran wizard still says that issue on export

update..
figured it out had to choose user and the bottom the certs linked and had to link exisit cert... now i can test it at home depot lol

hopefully it all works (:

comet424

@
@Gertjan
ok so i cant seem to connect,,, i was able to connect to my orginal openvpn

the 2nd one with my other account its stuck on connecting.. i was able to download the opvn file but when connecting its jus stuck connecting... is there something to check.. i checked that it was basiclly exactly same as the admin one i have setup and i did run the wizard.. but its stuck at connecting.... even if i make up a user using the client software it stays connecting.. if i make up a user on my orginal open vpn it tells me invalid

so its not getting to authenticating or what not

comet424

@Gertjan
so i got it to log in using the landon account i had to delete the user and re add it then create cert button instead of add cert and then add exisiting cert..

but there is issue.. i was getting full access to the network.. so when i got home.. LandonsVM Open VPN didnt get really access.. but it went to the OPENVPN Firewall rules.. it didnt go to the correct firewall rule.. where do i look

also everytime i delete the openvpn server, certs,ca, and do the wizard again.. it always saves the rule under OPENVPN not the LandonsVMOpenVPN..
but interface is set for it so its going to the wrong firewall rule
what do i look for that its going to the wrong rules?

interfaces

rules

comet424

here is the openvpn server snap shots. maybe something i got configured wrong as its going to the wrong firewall rule

![server2.PNG] (/assets/uploads/files/1598668037411-server2.png)

comet424

so i think i kinda know the issue and not sure how to fix..

the OpenVPN servers all goto OpenVPN fire wall rules

no matter if the Interface (Landons OpenVpn) :opvn5 remote access etc
and interfacce (openvpnremote access) :opvn remote access for admin

even though it populates it all goes to the OpenVPN firewall rule and not the specific interface rule

so i dont know how to modify it to redirect to the proper firewall interface rule

comet424

since i cant delete the OpenVPN firewall tab

is there a way to tell it when openvpn server set to interface A to run the rules under A
and if someone loges into server set to interface B to run the rules under B
i cant seem to get
LandonsVMOpenVPN to get the rules keeps going to OpenVPN
is there a way to delete OpenVPN firewall rule and that probably force the 2 Interfaces to go to there servers properly

akuma1x

@comet424 You most likely have to push a static IP address to LANDON, and then make a firewall rule(s) on your openvpn tab for that specific IP address to access stuff - either PASS or BLOCK.

Pushing an IP address can be found here:

VPN -> OpenVPN -> Client Specific Overrides -> Landon's User Name

And then, all the way at the bottom of this windw, in the box called Client Settings -> Advanced, add this text:

"ifconfig-push X.X.X.X 255.255.255.0;" without the quotes. For the X parts, assign him a specific IP address, like 1 subnet different than your internal LAN subnet addresses. So, how I do mine at work, LAN = 10.0.1.0/24 and OVPN clients get 10.0.5.X addresses, set in the field above. Everything works perfect like this.

Hope that helps!

Jeff

comet424

@akuma1x
didnt work still LandonOpenVPN and RemoteAccessVPN (admin) still goes to OpenVPN firewall.. they arent going to the specfic Firewall settings.. why is it defaulting OpenVPN.. id like to delete it.. then it has no choice to goto the proper Interfaces..
and what does the iconfig and and the pushing do? and what if you had 100 users in business would u have to do 100 client specific overrides?

maybe i configuring something wrong.. and i chose 192.168.110.0 since thats what i set for in the openvpn server file page.. i getting frustrated why isnt it going to the specific firewall rule and damn OpenVPN i cant even rename it or add it to interfaces.. its not there

if i keep deleting the server in openvpn and re create it and set it to the CA cert and server cert.. it keeps adding to OPENVPN not to darn Specific Landon Interface

ive had enough of thos tonight.. 1:15am and i cant get it to go where its supposed to go.. its linked to interface but both VPN Servers wont go to there specific firewall tab ugh
OPENVPN tab isnt even an interface so dont know why its even there as a firewall tab

had enough of it tonight

comet424

so im getting confused
i googled. and was reading the netgate docs... it says openvpn can be directed to specific interfaces but really doesnt tell you how to do it..
from what i read all openvpn server connections all go to OpenVpn firewall tab and then needs to be redirected

to sum it up i want
openvpn server 1(admin) ===>OpenVPN firewall tab(redirected)==>AdminOpenvpn Firewall Tab
openvpn server 2(landons) ===>OpenVPN Firewall tab(redirected) ==>LandonOpenVpn Firewall Tab

so i read the custom routes or the push routes etc

but in the negate docs i read " In such cases the OpenVPN tab firewall rules still apply, but there is a separate tab specific to the assigned VPN instance that controls traffic only for that one VPN" but i havent found how to do that

akuma1x

@comet424 Ok STOP, let's start over from the beginning...

On my pfsense box, I have the OpenVPN server setup and running. In these settings, I have setup all of the users that can access the server with user names and passswords. This is done under System -> User Manager -> Users. Create a new user for Landon, and give the user a good password.

Now, because you've already got an OpenVPN server instance created and it's known to work, DELETE the second (or third, or more) one you created specifically for Landon. Make sure all the extra WAN rules you've got for port 1193 are also deleted. And, speaking of WAN rules, I don't see the specific "port 1194" created from the OpenVPN wizard. What happened to that one? There's also a 1196 one in there, too.

You can both technically use the same VPN server connection. On your VPN server, you still want to give Landon a specific IP address, this is how you filter how and where he goes on your internal networks. Please be aware, when you start an OpenVPN server, the system automatically creates a firewall tab called "OpenVPN" in the list. You can add all of your traffic rules right here. You don't have to create extra OpenVPN firewall tabs. Or, for that matter, even activate them as interfaces in pfsense.

The single tab in the screenshot below is what was created from the initial setup wizard, and as you can see, tons of traffic has already passed thru the allow any rule there. That's traffic from about 12 other users, not shown, that have been working from home for 5 months.

So, I just added a new user to my pfsense system, called her "emily". Setup a user name and password for her, like I detailed above. There's a pass any and all rule on my OpenVPN firewall tab, and I put a block rule for emily up at the top to keep her from getting to a server on the LAN network.

Just tested, and it works. This user can login to the OpenVPN server, gets a static address from the system (10.0.5.139), and is BLOCKED from accessing the server at 10.0.1.20 with the single rule I created.

So, in review. 1 OpenVPN server running, I've got many users setup to remote in to use it, but only 1 is blocked from this particular server on LAN. You should be able to do the same, with your user account, and Landon's user account.

Jeff

comet424

@akuma1x
so the ports i was using is
1197 site to site openvpn
1196 admin openvpn
1193 was landon openvpn server
1194 was landon openvpn server both i was testing at same time to try to get away from OpenVPN tab and into the corresponding interface

sorry suffering migrain today so i havent worked on it.. rain gives it to me among other issues.. i missed something
ya i like the idea of 1 server make its easier thats why i was hoping grouping worked or source could be user name
as i want admin to have full access to the network.. and landon only right now would have access only to 2 IP address on the network when logged in

and with me being a visual learner, learning disability i gotta
but i missed something where do you link emily user account to 10.0.5.139 do you enter that in her user account credentials? so that be like 192.168.5.139 for mine a random ip address.. so i kinda got lost there how do i get the static ip for each user..
so static ip for admin static ip for landon or any other user..

kind sucks that you make the cert/ca and you can link it in an interface but the vpn tab doesnt go to the interface but the openvpn

so if you could go back a step fo me be great.. on the OpenVPN server gets a statick address from the system (10.0.5.139) that being linked to emily could you explain that better for me like a dummy book

and the part for the custom routes where i added in the other server for landon i had.. the route 192.29.x.x.x 255.x.x.x what did that actually do

and too bad firewall tab for Source didnt have option of "user accounts" so no need for IP just uses a group of user accounts in an alias..

but thats just me.. but ya if you could explain better abovefor me to acheve the ip address.. no rush as i no hurry

i appreciate the help you doing so far. and working with me... i know i no professional so thank you so far for all the help from thje other guys input too