How to safely grant access to users for changing their passwords?
I am using OpenVPN to connect users to my firewall, and everything is working nice.
I have set up the Tunnel network being 192.168.8.0/24 (so users are connecting with 192.168.8.2, and so on…) and I'm using client specific overrides so each users can reach different vlans on the network.
My question is, how should a user be able to reach the pfSense GUI in order to change his password? I could enable him to access the MGMT vlan, but that would be unsafe from a security point.
I thought the users should be able to reach their tunnel IP minus one, being the address of pfsense. But pfsense does NOT have any address for the VPN tunnel, meaning that if I go to "interface, assign" the VPN interface is still to be configured, infact I can see it under "Available network ports: ovpns1 (Remote VPN)".
However, as soon as I click on "ADD", trying to assign an IP address to it, all of the VPN connections break immediately, so I guess you're not supposed to do anything with this interface; afterall everything is working fine without it and of course I don't have any other "VPN interfaces" assigned or configured.
So, should I create a "dead" vlan just to have the GUI of pfsense reachable? I know I could do this with the MGMT vlan, but I have many other servers and network equipment there...
Just allow access to the firewall's address on some other VLAN. You don't have to allow access to the entire network.
You could even create a specific VLAN interface (even without configuring it on switch) just for this sole purpose, just make sure everyone have access to this interface/vlan.