"Best practise" for road warriors with individual firewall rules



  • Hi everybody,

    after some confusion with the upgrade to 2.3 and "subnet vs. net /30" I would like to know what is best practise for these needs:

    We have one OpenVPN server and about 20 road warriors. Now I would like to give these road warriors

    • individual "permissions" to certain IP addresses via firewall rules
    • individual routes

    The topology of the OpenVPN Server is "Subnet - One IP address per client in a common subnet", because I read that this is the way to go into future.  :)

    Thanks for your support and greets
    Stephan



  • I just tried configuring Client specific overrides like this:

    • check "Prevent this client from receiving any server-defined client settings. "
    • Put this in Advanced: ifconfig-push 10.185.192.x 255.255.255.0;push "route <some network="">"

    So (hopefully) the client always gets 10.185.192.12 so I can configure firewall rules relating to this IP address.
    Is this an acceptable solution?

    Thanks and greets
    Stephan</some>


  • LAYER 8 Global Moderator

    Why would client always get 10.185.192.12.. did you just put a x in there for the post vs the .12??

    So I have this setup for my specific client override from my work machine

    ifconfig-push 10.0.8.100 255.255.255.0

    It always gets that IP..
    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : local.lan
      Description . . . . . . . . . . . : TAP-Windows Adapter V9
      Physical Address. . . . . . . . . : 00-FF-EE-16-B9-3C
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::fd9b:6799:7fc9:2969%23(Preferred)
      IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Tuesday, August 09, 2016 9:42:35 AM
      Lease Expires . . . . . . . . . . : Wednesday, August 09, 2017 9:42:36 AM
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . : 10.0.8.254
      DHCPv6 IAID . . . . . . . . . . . : 369164270
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4C-CA-26-3C-97-0E-99-DF-75
      DNS Servers . . . . . . . . . . . : 192.168.9.253
      NetBIOS over Tcpip. . . . . . . . : Enabled

    So yeah I could use that IP for firewall rules..



  • Hi John,

    @johnpoz:

    Why would client always get 10.185.192.12.. did you just put a x in there for the post vs the .12??

    ??? My mistake… tried to anonymize the IP address...  ;D
    As far as I understand you took the same solution like me. Every road warrior gets an individual IP address via ifconfig-push, so I can configure firewall rules relating to this road warrior. Fine - I will try that for all the warriors!  :)

    Thanks and greets
    Stephan


  • LAYER 8 Global Moderator

    Yeah how else would you skin that cat? ;)  If you want user X to be allowed access to device at 1.2.3.4, then yeah you need to make sure user X always has IP address 2.3.4.5 so you can allow that via firewall rule..

    User Y that gets something other than 2.3.4.5 would not have access..

    If you have groups of users that all need same access you could just create different vpn connections so that users A,B and C would always get ips in network 1.2.3.0/24 and you could then create the firewall rules on that network vs specific IP and if you have other group of users that need different access then AB and C then they could be on entwork 1.2.4/24 etc..


Log in to reply