Limit OpenVPN access for certain user to only certain IP in the local network



  • Hi all,
    I'd like to know if it's possible to limit the access for certain user to a certain IP in my local network when connecting from VPN.

    The scenario is the following:
    -user1 and user2 connect via VPN using openvpn client and can see all my internal network
    -user3 connect via VPN using openvpn client but can only access to one server with IP x.x.x.x
    -user4 connect via VPN using openvpn client but can only access to another server with IP x.x.x.y

    Is this possible? If yes, please let me know what steps to to clearly.

    Thanks in advance



  • When using SSL/TLS it is.

    Go to VPN > OpenVPN > Client specific overrides and add an override rule for each client you want to control by firewall rule.
    Select the VPN server, enter the users common name as it is set in the users certificate. At tunnel network enter a small subnet (/30) of the server tunnel network, e.g. if the tunnel network is 10.0.8.0/24 enter 10.0.8.156/30 for user3 and 10.0.8.160/30 for user4.
    In the IPv4 Local networks box enter the particular host address, the user is allowed to access, e.g. x.x.x.x/32, enter the other options to meet your needs.

    Now if one of these users connects he will get an IP of the specified subnet (the third IP of the subnet, first IP is the network, second the server) and you may use these IPs or also the whole subnets in firewall rules on OpenVPN tab to allow or restrict access for these users.


  • Banned

    You can assign static IP's to your clients.
    https://forum.pfsense.org/index.php?topic=77590.0
    https://www.iceflatline.com/2014/01/how-to-assign-static-ip-addresses-to-openvpn-clients-in-pfsense/

    Then write firewall rules to control each user via their static IP.



  • Thank you very much for your help.