Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block access from roadwarriors

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 4 Posters 641 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      unaibg
      last edited by

      I have a pfsense with an openvpn server for roadwarriors. I have also created different users that will connect to the local network through the openvpn client for windows.

      but one of them requiered that only have access to a single machine within the local network.

      How would I have to do it?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The best way to accomplish that is by setting up a separate VPN (different CA, certs, tunnel network, etc) for the isolated clients.

        There are some tricks you can do with address assignments, routing, rules, and so on to attempt to isolate that client, but it's hard to get right and not as secure.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • U
          unaibg
          last edited by

          Thanks! I will do so.

          M 1 Reply Last reply Reply Quote 0
          • M
            maverick_slo @unaibg
            last edited by maverick_slo

            @unaibg
            You can totally do it with rules and client overides.
            Assign static IP to that client, and make rules that fit your situation.
            Its just as secure as separate tunnel.. IF rules are smart designed of course ๐Ÿ˜‰

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @maverick_slo
              last edited by NogBadTheBad

              @maverick_slo said in How to block access from roadwarriors:

              @unaibg
              You can totally do it with rules and client overides.
              Assign static IP to that client, and make rules that fit your situation.
              Its just as secure as separate tunnel.. IF rules are smart designed of course ๐Ÿ˜‰

              I assign clients specific IP addresses via Freeradius.

              "ipsec-test" Cleartext-Password := "PASSWORD-WAS-HERE", Simultaneous-Use := "1", Expiration := "Jan 01 2020", NAS-Identifier == strongSwan 
              
              	Framed-IP-Address = 172.16.8.254,
              	Framed-IP-Netmask = 255.255.255.0,
              	Framed-Route = "0.0.0.0/0 172.16.8.1 1"
              

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.