"Best practise" for road warriors with individual firewall rules
-
Hi everybody,
after some confusion with the upgrade to 2.3 and "subnet vs. net /30" I would like to know what is best practise for these needs:
We have one OpenVPN server and about 20 road warriors. Now I would like to give these road warriors
- individual "permissions" to certain IP addresses via firewall rules
- individual routes
The topology of the OpenVPN Server is "Subnet - One IP address per client in a common subnet", because I read that this is the way to go into future. :)
Thanks for your support and greets
Stephan -
I just tried configuring Client specific overrides like this:
- check "Prevent this client from receiving any server-defined client settings. "
- Put this in Advanced: ifconfig-push 10.185.192.x 255.255.255.0;push "route <some network="">"
So (hopefully) the client always gets 10.185.192.12 so I can configure firewall rules relating to this IP address.
Is this an acceptable solution?Thanks and greets
Stephan</some> -
Why would client always get 10.185.192.12.. did you just put a x in there for the post vs the .12??
So I have this setup for my specific client override from my work machine
ifconfig-push 10.0.8.100 255.255.255.0
It always gets that IP..
Ethernet adapter Local Area Connection:Connection-specific DNS Suffix . : local.lan
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-EE-16-B9-3C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fd9b:6799:7fc9:2969%23(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, August 09, 2016 9:42:35 AM
Lease Expires . . . . . . . . . . : Wednesday, August 09, 2017 9:42:36 AM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.0.8.254
DHCPv6 IAID . . . . . . . . . . . : 369164270
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4C-CA-26-3C-97-0E-99-DF-75
DNS Servers . . . . . . . . . . . : 192.168.9.253
NetBIOS over Tcpip. . . . . . . . : EnabledSo yeah I could use that IP for firewall rules..
-
Hi John,
Why would client always get 10.185.192.12.. did you just put a x in there for the post vs the .12??
??? My mistake… tried to anonymize the IP address... ;D
As far as I understand you took the same solution like me. Every road warrior gets an individual IP address via ifconfig-push, so I can configure firewall rules relating to this road warrior. Fine - I will try that for all the warriors! :)Thanks and greets
Stephan -
Yeah how else would you skin that cat? ;) If you want user X to be allowed access to device at 1.2.3.4, then yeah you need to make sure user X always has IP address 2.3.4.5 so you can allow that via firewall rule..
User Y that gets something other than 2.3.4.5 would not have access..
If you have groups of users that all need same access you could just create different vpn connections so that users A,B and C would always get ips in network 1.2.3.0/24 and you could then create the firewall rules on that network vs specific IP and if you have other group of users that need different access then AB and C then they could be on entwork 1.2.4/24 etc..