How to block access from roadwarriors



  • I have a pfsense with an openvpn server for roadwarriors. I have also created different users that will connect to the local network through the openvpn client for windows.

    but one of them requiered that only have access to a single machine within the local network.

    How would I have to do it?

    Thanks in advance


  • Rebel Alliance Developer Netgate

    The best way to accomplish that is by setting up a separate VPN (different CA, certs, tunnel network, etc) for the isolated clients.

    There are some tricks you can do with address assignments, routing, rules, and so on to attempt to isolate that client, but it's hard to get right and not as secure.



  • Thanks! I will do so.



  • @unaibg
    You can totally do it with rules and client overides.
    Assign static IP to that client, and make rules that fit your situation.
    Its just as secure as separate tunnel.. IF rules are smart designed of course 😉


  • Galactic Empire

    @maverick_slo said in How to block access from roadwarriors:

    @unaibg
    You can totally do it with rules and client overides.
    Assign static IP to that client, and make rules that fit your situation.
    Its just as secure as separate tunnel.. IF rules are smart designed of course 😉

    I assign clients specific IP addresses via Freeradius.

    "ipsec-test" Cleartext-Password := "PASSWORD-WAS-HERE", Simultaneous-Use := "1", Expiration := "Jan 01 2020", NAS-Identifier == strongSwan 
    
    	Framed-IP-Address = 172.16.8.254,
    	Framed-IP-Netmask = 255.255.255.0,
    	Framed-Route = "0.0.0.0/0 172.16.8.1 1"