OpenVPN: limit IPs accessible to client
-
Dear all,
I have searched but did not find enough information to help me on this.
Right now I am creating users in pfsense, creating a new certificate with each one, and then use the client export wizard to download and provide a preconfigured VPN client.
The longer this system runs, the more I realize that not all users should be equal, and I want to force some user groups to use an access point (a single system/IP), while other should be allowed to directly access anything.
How can I achieve this?
(Please also give some details, if possible.. I read I would have to assign a predictable IP to each client/user and then use firewall rules, but I have not found an option yet to do so.)
Many thanks!!!!
-
If you can use a predictable IP for each user then you can accomplish this by 1) configuring a static IP for each client, and 2) configuring fw rules for the proper interface for those IP addresses.
1: You can assign predictable IP's to clients using the client specific overrides section of the VPN config. The only 2 entries you need are the common name which will be the cn of their certificate and then under advanced you would enter something like 'ifconfig-push 10.10.10.234 255.255.255.0' (assuming you adjust for the IP address you want and set the proper mask). You can also use DNS which is how I do it, so if I want to change the assigned IP I only have to make the change in one location (DNS). For example, 'ifconfig-push laptop.vpn.mydomain.com 255.255.255.0'. Your firewall rules can also use the DNS entry so they will adjust also if you decide to change the IP.
2: For firewall rules you can us the OpenVPN section (Firewall/Rules/OpenVPN) of the firewall rules screen or if you have more than one VPN configured you may want to create an interface on the 'ovpnsx' network port in the assign interface tab (Interfaces/Interface Assignments) which would give you more granularity if you have (or may have) more than on VPN and want to control them independently. If you decide to create a specific interface and assign it to the ovpns port you do not need to assign it an IP address.
Note: This setup is assuming you are configured with a tun interface and using the subnet topology for OpenVPN.
-
There are multiple ways of accomplishing this. I would ask, how many groups are we talking about and how complex is the access you're trying to implement.
I like the simple options with the least amount of administrative overhead. It sounds like you may only have 2 groups (Trusted and Less Trusted), so I would just create two different tunnels that will naturally have 2 different tunnel networks. This way you can control what routes get pushed to the "Less Trusted" group and easily create firewall rules on your LAN interfaces for blocking the "Less Trusted" tunnel network.
If you want to control access on a per user basis, then you're looking at what tortue mentioned regarding assigning static IP's to every user via Client Specific Overrides. If you only have a handful of users, this might be fine, but it adds administrative overhead since you not only have to configure CSO's for every user…. you also have to do manual IPAM. I must say, Tortue's example about using DNS entries in on the CSO's is interesting, but the overhead is still there.
-
@marsova
Many thanks for answering!
How can I create those 2 groups and 2 tunnels? Is it 2 servers or how does it work? Can both listen on the same port?As for my needs: I would have both few groups and few users.
Probably groups: trusted, trusted but don't know what they are doing, untrusted.
(Though there isn't really untrusted, since if they are in the network they would always be able to somehow gain access to other machines.)@tortue
Many many thanks!
I wonder how I could not find the same before.Since this is working, some more information by me (for lazy people like me):
- tun/subnet is the default for OpenVPN, tun is fine if one only uses IP
- CN name I got from the System->Certificate Manger, for the user certificate
- If in Client Specific Overrides, I also provide IPv4 Local Network/s it seems to do the job just as well. No firewall rule - or even a static IP - needed. Is that correct?
- Even though it does not prompt, OpenVPN service needs to be restarted
-
How can I create those 2 groups and 2 tunnels? Is it 2 servers or how does it work? Can both listen on the same port?
As for my needs: I would have both few groups and few users.
Probably groups: trusted, trusted but don't know what they are doing, untrusted.
(Though there isn't really untrusted, since if they are in the network they would always be able to somehow gain access to other machines.)As far as controlling access to network(s), you can't really add "groups" per se… you can create aliases, but that's not what I was getting at. Lets say you have the following subnets/vlans for example:
10.0.0.0/24 = users
10.0.1.0/24 = servers
10.0.2.0/24 = managementFor the arbitrary "trusted" group, you would create 1 Remote Access Server listening on port 1194 with a tunnel network of e.g. 192.168.150.0/24 and push routes to all 3 subnets to these clients.
For the arbitrary "less trusted" group, you would create a 2nd Remote Access Server listening on port 1195 with a tunnel network of e.g. 192.168.160.0/24 and only push routes to the subnets you want them to have access to. Not having a route to your other networks will take care of 99% of the riff raff, but as a second security measure, now that you know the "less trusted" users will always have an IP in the 192.168.160.0/24 subnet, if you don't want them to access your management network, for example, you would just create a block rule on the management interface for traffic sourcing from 192.168.160.0/24 subnet. This block rule would be just in case some savvy user learns your topology and decides to create routes manually on the remote end.
So, the "groups" I mentioned don't actually exist on your firewall, but more in your head. Basically, you'd make a decision on the front end of what access level you want that user to have and then do a client export on the particular Remote Access Server you have deemed appropriate based on your assessment of whether they are "trusted" or "less trusted".
If you only have 1 subnet, this option still works because it allows you to create simple rules blocking access to certain IP's based on what subnet the traffic is sourced from. Example scenarios:
-
I trust Johnny = export trusted access server
-
I trust Bill = export trusted access server
-
I'm not sure I fully trust Brian = export less trusted access server
-
I'm not sure I fully trust Doug = export less trusted access server
-
I only have 1 subnet and there are certain people I trust mostly, but don't want them accessing my NAS on 10.0.0.30 = export less trusted access server, then create a block rule on your LAN interface with source 192.168.160.0/24 and destination 10.0.0.30
-
-
Thanks for clarifying, marvosa.
My topology is a little different (all in same subnet, different special purpose subnets), also for restricted users they would be restricted to a single IP (the system to RDP into).
What helps is saying that I would need to create 2 servers, and then, of course, I can configure again what I want.
Perhaps I will eventually configure 2 servers when I have to static public IPs on different dsl connections.
So thanks for those insights!
-
I forgot to mention in my setup you also cannot have 'duplicate-cn' set in the advanced settings for the server. Essentially if you allow a single certificate to come in for multiple devices (like phone and laptop) it would not work since the IP would try to be assigned to 2 devices.