Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to safely grant access to users for changing their passwords?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 811 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kei
      last edited by

      Hello,
      I am using OpenVPN to connect users to my firewall, and everything is working nice.
      I have set up the Tunnel network being 192.168.8.0/24 (so users are connecting with 192.168.8.2, and so on…) and I'm using client specific overrides so each users can reach different vlans on the network.
      My question is, how should a user be able to reach the pfSense GUI in order to change his password? I could enable him to access the MGMT vlan, but that would be unsafe from a security point.
      I thought the users should be able to reach their tunnel IP minus one, being the address of pfsense. But pfsense does NOT have any address for the VPN tunnel, meaning that if I go to "interface, assign" the VPN interface is still to be configured, infact I can see it under "Available network ports: ovpns1 (Remote VPN)".
      However, as soon as I click on "ADD", trying to assign an IP address to it, all of the VPN connections break immediately, so I guess you're not supposed to do anything with this interface; afterall everything is working fine without it and of course I don't have any other "VPN interfaces" assigned or configured.

      So, should I create a "dead" vlan just to have the GUI of pfsense reachable? I know I could do this with the MGMT vlan, but I have many other servers and network equipment there...

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Just allow access to the firewall's address on some other VLAN. You don't have to allow access to the entire network.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          Soyokaze
          last edited by

          +1
          You could even create a specific VLAN interface (even without configuring it on switch) just for this sole purpose, just make sure everyone have access to this interface/vlan.

          Need full pfSense in a cloud? PM for details!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.