[GUIDE] IKEv2/IPSec, Per user firewall rule settings with FreeRADIUS



  • Just found this way to set per user rules, probably someone already discovered, but seems there's no post regarding to this, hopefully it can help someone.

    1. Follow the "IKEv2 with EAP-MSCHAPv2" https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 from pfsense, to create a working IKEv2/IPsec VPN server first.
    2. Install Freeradius2 on pfsense.
    3. Once tested and working, some changes need to be made, so that the IKEv2/IPsec VPN will use radius to authenticate clients instead of local database. (Google some pfsense freeradius configuration guide)


    Assume IKEv2/IPsec is working with freeradius.

    Configure per user rules.
    Create user1 and user2, user1 will have access to internal LAN and internet, user2 will only have internet access, not internal LAN access.
    In real world case, user1 can be the pfsense owner/administrator, user2 can be friends who you want to give VPN.

    1. Create user1 and user2 in Services -> FreeRADIUS -> Users.
    user1
    Put Username: user1, Password: password, IP Address: 10.1.2.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
    0.0.0.0/0 "Gateway address here (Address of pfsens box's, not external gateway)" 1
    Save

    user2
    Put Username: user2, Password: password, IP Address: 10.1.3.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
    0.0.0.0/0 "Gateway address here (Address of pfsens box's, not external gateway)" 1
    Save

    Now, when user1 login, virtual IP address 10.1.2.1 will be assigned. When user2 login, virtual IP address 10.1.3.1 will be assigned.

    2. Give internet access to two users, System -> Routing Static Routes
    Add two different new static route for VPN client user1 and user2 to use, so that both client can have internet access from pfsense box.

    Static Route1
    Destination network: 10.1.2.0/24
    Gateway: WAN_PPPOE - xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
    Save

    Static Route2
    Destination network: 10.1.3.0/24
    Gateway: WAN_PPPOE - xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
    Save

    3. Create firewall rules, Firewall -> IPsec
    Create DNS rule, Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: TCP/UDP, Source: Any, Destination: This firewall (self), Destination Port Range: From 53 to 53.
    Save

    Create block rule, so that user2 won't be able to access our LAN, Action: Reject, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Network 10.1.3.0/24, Destination: LAN net.
    Save

    Create rule for allowing other traffic (internet etc.), Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Any, Destination: Any
    Save


    Now user1 will have full access, LAN and internet, user2 will have internet access only, no LAN access.
    To create more accounts for friends, just use same steps form step 1, assign them IP range from 10.1.3.2 to 10.1.3.254 will be fine.


    Notes:
    If you find this post useful please comment or click on Thank you button or do both :)
    If you think it can be improved please share your comment.

    Future work:
    If you know how to configure freeradius to assign IP address dynamically via DHCP etc. to specific users please share your comment.

    Thanks



  • @pfbest

    This is amazing! Thank you so much, it works really well.