Different remote users need to access different resources

setecastronomy · Jun 13, 2017, 1:06 PM

In the past I configured OpenVpn on Pfsense to allow remote access to a specific subnetwork.
In the server configuration IPv4 Tunnel Network is set to 192.168.5.0/24 while IPv4 Local network(s) is set to 192.168.4.0/24, a dmz for a few servers. I think that way the remote user is limited to operate in the 192.168.4.0/24 subnet and cannot access machines in other subnets. There is nothing in Client specific overrides and no special route is added in the Custom options of the server. Everything works fine but now a new remote user needs to connect to servers in lan.

Don't know which is the best way to achieve this result and I'm reluctant to change anything on the existing and working vpn.
I have some ideas and I would like to understand if they are all feasible and which are their pros and cons.
May be I can add a new user on pfsense , remove IPv4 Local network(s) = 192.168.4.0/24 in the server configuration and push some route bases on the user.
Alternatively I can execute the OpenVpn Wizard again and hopefully it will generate an additional Server and Client configuration for the new user. I would like to restrict his access to some ports and servers only, I think it can be done adding firewall rules in the open Vpn tab.
Am I completely missing the point ? Any advice ?

Thanks
Filippo

viragomann · Jun 13, 2017, 8:48 PM

Access control has to be handled by firewall rules only!

The "IPv4 Local network(s)" field is meant to add networks, to which the clients get pushed vpn-routes by the server. However, it's up to the client to set further routes to other network by his own. If firewall rules allow access to all, that user is able to access anything in this case.

If it's only one user, who should get particular access rights add a client specific override for him (works only with user certs) to assing a specific IP to him. Then you can add firewall rules to supply specific access to that user.

If you have a lot of users who should get different access you may to consider to add an addition VPN server with another tunnel subnet.

setecastronomy · Jun 14, 2017, 8:16 AM

@viragomann:

Access control has to be handled by firewall rules only!

What is still unclear to me is how to add access control rules for vpn. I know the IPv4 Tunnel Network and I can force a specific IP to a user with client specific override. So I can add rules with those IPs but in which tab should I place them ? I have a OpenVpn tab created by Vpn wizard, is that the right place ? I hope I don't have to add the same rules on each subnet which is configured.

Thanks
Filippo

viragomann · Jun 14, 2017, 10:10 AM

Yes, in pfSense firewall rules have to be placed on the interface where the connections come in. So you have to place the needed rules on the OpenVPN tab.

The attachment shows my OpenVPN rules set as an example.
I am running 4 vpn servers with different tunnel networks. "Media Admins", "Media Developer" and so on are just aliases for the tunnel networks as source in the rule, destination addresses an ports are also aliases.

![2017-06-14 11_57_32-Firewall_Rules_OpenVPN.png](/public/imported_attachments/1/2017-06-14 11_57_32-Firewall_Rules_OpenVPN.png)
![2017-06-14 11_57_32-Firewall_Rules_OpenVPN.png_thumb](/public/imported_attachments/1/2017-06-14 11_57_32-Firewall_Rules_OpenVPN.png_thumb)

setecastronomy · Jun 14, 2017, 11:29 AM

@viragomann:

…. add a client specific override for him (works only with user certs) to assing a specific IP to him.

I suppose I have to put ifconfig-push ip.
In the server configuration I have IPv4 Tunnel Network = 192.168.5.0/24, so the IP I push to the new user must belong to that subnet ???
What about the previous vpn user ? Do I have to push an IP for him too ? Otherwise he could receive by chance the special IP reserved to the new user because it is one of the valid ones for the tunnel network.
And above all can client override settings be changed on the client side ? In other words can a malicious remote user override a second time his tunnel ip in order to get the 'special IP' ?

Thank you again.

Filippo

viragomann · Jun 14, 2017, 1:16 PM

In the client override the "Tunnel Network" option is for pushing the IP to the client.
Someone here told me that in actual pfSense version this may also be a single IP (/32) and may also be one lying outside of the servers tunnel network. But I've never tested.

This IP is only be assigned to the certificate which matches to the "Common name" in cso. So no other user can get this IP and the specific named user should not be able to get another one.

setecastronomy · Jul 13, 2017, 7:00 AM

After the holidays I have still to create a second special vpn access.
I have configured only one OpenVpn Server

Here are the tunnel settings
Ipv4 tunnel network 192.168.5.0/28
IPv4 Local network(s) 192.168.4.0/24

The first vpn client works perfectly, he gets 192.168.5.6 ip and can reach internal subnet 192.168.4.0/24.
Firewall rules were added on OpenVpn tab to be sure vpn client cannot access other subnets adding new guessed routes to its configuration.

A second firewall user with a new certificate was created with a corresponding client specific override
Here are the tunnel settings:
Ipv4 tunnel network 192.168.6.0/28
IPv4 Local network(s) 192.168.1.0/24

The second user can connect to vpn server and correctly gets 192.168.6.2 but he cannot access anything inside and it is not blocked by firewall rules, so I suspect there is something wrong with the routes. I don't know what to do. the reason I changed the tunnel network in client specific override is that I want to put a special firewall rule on OpenVpn tab to allow only that subnet to access an internal restricted area.

What is wrong ? How can I solve ? Is there another way to accomplish my goal ?

Thanks
Filippo

setecastronomy · Jul 13, 2017, 9:09 AM

I added a route to 192.168.6.0/24 in the server advance configuration and now the vpn works as expected.

Again the documentation about vpn is very confusing for me.
I first tried push "route 192.168.6.0 255.255.255.0"; following what stated in the note: it was useless.
Then I solved adding route 192.168.6.0 255.255.255.0
I read this guide and push "route …" and route … are both used so they seem equivalent. Am I missing something ?

Thanks
Filippo

viragomann · Jul 13, 2017, 10:52 AM

@setecastronomy:

I first tried push "route 192.168.6.0 255.255.255.0"; following what stated in the note: it was useless.
Then I solved adding route 192.168.6.0 255.255.255.0

Why do you want to push the route for 192.168.6.0/24? That includes the tunnel network for that client.

There's no need for advanced options to pushing routes. This is done by "Local Networks" option. So the user gets 192.168.1.0/24 pushed.
Check the routing table in the client computer.
Open up the firewall for testing to allow any and try to ping the vpn servers IP, than try to ping the pfSense interface address in 192.168.1.0/24 and another host.

setecastronomy · Jul 14, 2017, 6:52 AM

@viragomann:

There's no need for advanced options to pushing routes. This is done by "Local Networks" option.

The idea to put a route in server advance config comes from this guide.
It makes the difference, without that route I cannot access internal subnet with the user who has client specific overrides.
The client configuration was ok since the beginning, a route print from windows command line shows it knows how to reach 192.168.1.0/24, the IPv4 Local network of the client specific override.
Don't know how to check the routes on firewall: it can reach 192.168.5.0/28, the Ipv4 tunnel network configured with OpenVpn server, but I suspect it has no route to 192.168.6.0/28, Ipv4 tunnel network of the client specific override. Adding that route manually traffic flows as expected.