Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    User-based access to different subnets

    OpenVPN
    3
    5
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cdunbar
      last edited by

      Hello,

      I have a new pfSense box with multiple network interfaces corresponding to different groups of users. For example, group A needs to access interface/subnet A and group B needs to access interface/subnet B. I'm looking for the most elegant way to implement this and what I have come up with on my own seems inelegant. All I have so far is to create multiple OpenVPN servers running on different ports (e.g. 1194, 1195, etc.) and assign each group of users to a separate OpenVPN server. That would allow me to assign a unique OpenVPN client subnet to each group and then control access via firewall rules to the corresponding interface/subnets mentioned above.

      My preference is to run a single OpenVPN server and control network access by users and/or user groups. Is that possible? Can you point me in the right direction or suggest another solution?

      Thank you,
      cdunbar

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So these are remote users..

        So you can setup vpn user A to get IP address X, you setup user B to IP address Y... You then on you rules allow X to get to what it needs, and Y to get to what it needs.

        There is no real reason to run multiple instances - but that might be easier if All users need the same sort of access and there is no bleed over where user A might need to part of what user B has access too.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          cdunbar
          last edited by

          @johnpoz,

          Thank you for the reply. I think I understand what you suggested, but managing individual IPs and firewall rules wouldn't scale very well. I'll potentially have 15+ users in each group and that would be a mess to keep up with.

          I just discovered Client Specific Overrides and it looks like it could do what I am looking for. However, it seems to also be too granular (i.e. one override per unique user) and I'm not sure if I can use it for a group of users. Any experience with this?

          Thank you,
          cdunbar

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            With CSO you can bind a fixed IP to each of your VPN RAS Users.
            After that you could group your Users with Aliases via the IP and use the Alias in Firewall Rules.

            -Rico

            1 Reply Last reply Reply Quote 0
            • C
              cdunbar
              last edited by

              For posterity...

              I decided to set up a separate OpenVPN server for each group of users. In the end it was the cleanest way to differentiate between the groups by assigning a unique subnet to each instance of OpenVPN. Client Specific Overrides is an interesting feature and might have allowed a portion of what I was looking for, but did not offer a complete solution.

              Thank you,
              cdunbar

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.