Isolate client OpenVPN

Getbys · Oct 31, 2018, 2:50 PM

Hi guys, am new to pfsence and OpenVPN so i currently started to work in an office using OpenVPN and pfsense. Atm I am wondering how can i make a client only to be able to RDP to a particular machine over VPN and to isolate em not to access any other LAN devices. Eg. shares/git. Someone mentioned me with Cleint Specific Overrides but am not aware on how to do it. The issue is that not all clients should be restricted but only particular ones, the moment with rule to drop anything except RDP port when over VPN won't work in this scenario.

Rico · Nov 1, 2018, 8:42 AM

You can set this up easy with CSO and Firewall Rules.
VPN -> Open VPN -> Client Specific Overrides:
Pick your Server, in Common Name put the Cert name of your Client. In IPv4 Tunnel Network put in the fixed IP you want to give to this user.
For example, if you have a 10.11.12.0/24 Tunnel network and want this User to have 10.11.12.13 you put in 10.11.12.13/24
Leave all the other stuff blank and hit Save.

In Firewall -> Rules navigate to the OpenVPN Group tab. Add a new Rule
IPv4 TCP Source 10.11.12.13/24 Destination Server IP Port MS RDP 3389
Save and thats it. Maybe you need to Reset your States before testing.
If you have Rules like Any-Any in your OpenVPN Group tab make sure to put the new Rule on top of that.

-Rico

Getbys · Nov 1, 2018, 10:10 AM

@rico Thanks !