User-based access to different subnets

cdunbar · Dec 11, 2018, 8:57 PM

Hello,

I have a new pfSense box with multiple network interfaces corresponding to different groups of users. For example, group A needs to access interface/subnet A and group B needs to access interface/subnet B. I'm looking for the most elegant way to implement this and what I have come up with on my own seems inelegant. All I have so far is to create multiple OpenVPN servers running on different ports (e.g. 1194, 1195, etc.) and assign each group of users to a separate OpenVPN server. That would allow me to assign a unique OpenVPN client subnet to each group and then control access via firewall rules to the corresponding interface/subnets mentioned above.

My preference is to run a single OpenVPN server and control network access by users and/or user groups. Is that possible? Can you point me in the right direction or suggest another solution?

Thank you,
cdunbar

johnpoz · Dec 11, 2018, 9:07 PM

So these are remote users..

So you can setup vpn user A to get IP address X, you setup user B to IP address Y... You then on you rules allow X to get to what it needs, and Y to get to what it needs.

There is no real reason to run multiple instances - but that might be easier if All users need the same sort of access and there is no bleed over where user A might need to part of what user B has access too.

cdunbar · Dec 11, 2018, 9:20 PM

@johnpoz,

Thank you for the reply. I think I understand what you suggested, but managing individual IPs and firewall rules wouldn't scale very well. I'll potentially have 15+ users in each group and that would be a mess to keep up with.

I just discovered Client Specific Overrides and it looks like it could do what I am looking for. However, it seems to also be too granular (i.e. one override per unique user) and I'm not sure if I can use it for a group of users. Any experience with this?

Thank you,
cdunbar

Rico · Dec 11, 2018, 9:26 PM

With CSO you can bind a fixed IP to each of your VPN RAS Users.
After that you could group your Users with Aliases via the IP and use the Alias in Firewall Rules.

-Rico

cdunbar · Dec 12, 2018, 3:37 PM

For posterity...

I decided to set up a separate OpenVPN server for each group of users. In the end it was the cleanest way to differentiate between the groups by assigning a unique subnet to each instance of OpenVPN. Client Specific Overrides is an interesting feature and might have allowed a portion of what I was looking for, but did not offer a complete solution.

Thank you,
cdunbar