Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restrict access for certain VPN users?

    Scheduled Pinned Locked Moved IPsec
    15 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luas
      last edited by

      Hi,
      we have an existing IPSec configuration on pfsense 2.4.4.
      Now I got a request from a service engineer which would like to access one certain device in our network via VPN. I don't like the idea that he can see all devices in our network. Is there a possibility to setup firewall rules so that VPN user A does see a different set of devices than VPN user B?

      If no, do you have any other hints? Like temporarily enabling the user on request and otherwise have it disabled?

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @luas
        last edited by Konstanti

        @luas Hey
        You can configure the user access through the access rules of the interface of IPSEC. These rules will apply to incoming packets on the other side of the tunnel.
        In this way , you can configure the firewall so that the service engineer ( IP A) can only access one device (IP B) through a VPN.
        This is provided if we are talking about site-to-site configuration. And the service engineer's computer has static ip.
        If we are talking about the road warrior, then here you can consider the option of Openvpn. In this case , you can configure the server so that each remote client is assigned a specific ip address . And on this basis it is already possible to build a security policy .

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by NogBadTheBad

          Look at freeradius to hand out fixed ip addresses, you can then have firewall rules based on ip addresses.

          There is quite a bit more work to enable this.

          https://forum.netgate.com/topic/115795/guide-ikev2-ipsec-per-user-firewall-rule-settings-with-freeradius

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • L
            luas
            last edited by

            Okay, so with default IPSec, there's no chance to hand out fixed IP addresses and therefore no possibility to attach specific access rights?
            I'll probably stick to the simple enable-on-request solution then. Thanks!

            K 1 Reply Last reply Reply Quote 0
            • K
              Konstanti @luas
              last edited by

              @luas
              There is such an opportunity for Road Warriors
              What authentication method is used ?

              0_1546963580627_09aec13b-0f35-43be-9814-d07c7cf05d0f-image.png

              1 Reply Last reply Reply Quote 0
              • L
                luas
                last edited by

                We authenticate via Active Directory. "Pre-Shared Keys" as in your screenshot is empty in our pfsense config.

                K 2 Replies Last reply Reply Quote 0
                • K
                  Konstanti @luas
                  last edited by Konstanti

                  @luas

                  It doesn't matter
                  You can fill in this field with any characters, as long as the user ID matches
                  This creates a config for the user "engineer" and assigns the required ip address

                  1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @luas
                    last edited by

                    @luas For example
                    I have authorization configured on the certificates
                    0_1546964423915_0be787be-f9f2-421d-80ba-b48a9386c085-image.png

                    1 Reply Last reply Reply Quote 0
                    • L
                      luas
                      last edited by

                      @Konstanti Thanks!
                      I tried this, but with no luck.
                      I used "username" or "username@domain.local" as Identifier, entered a Pre-Shared-Key and a specific IP-Adress with mask /32.
                      But I will still get an address from the default pool.

                      I also tried to configure a unique PSK for the engineer in the given dialog, but then the tunnel won't come up at all.

                      Any other idea?

                      K 1 Reply Last reply Reply Quote 0
                      • K
                        Konstanti @luas
                        last edited by Konstanti

                        @luas Hey
                        Show me how you filled in these fields
                        0_1547071305348_e2625573-653b-457c-8e12-d5d9967a27d2-image.png

                        And what is the ID of the engineer ?

                        1 Reply Last reply Reply Quote 0
                        • L
                          luas
                          last edited by

                          0_1547071612617_183eff1a-4d5d-4089-ac16-7794230f5517-image.png

                          K 1 Reply Last reply Reply Quote 0
                          • K
                            Konstanti @luas
                            last edited by

                            @luas Hey
                            If the problem is still relevant, I think I know how to solve it

                            L 1 Reply Last reply Reply Quote 0
                            • L
                              luas @Konstanti
                              last edited by

                              @konstanti Yes, I'm still interested!

                              K 1 Reply Last reply Reply Quote 0
                              • K
                                Konstanti @luas
                                last edited by Konstanti

                                @luas
                                t's easy , but you need to work with your hands a little .

                                1. create a file on the firewall , for example, /usr/local/tmp/ip.sh
                                  make it executable, chmod +x ip.sh)
                                  Write on there such the text

                                0_1547906340263_d3c90542-b90c-4b2b-9038-8372cf693592-image.png

                                Save

                                1. /diagnostics/edit file/ etc/inc/vpn.inc
                                  Find here is such a string
                                  if (isset($ph1ent['mobile')])) {
                                  Adding here is such the text
                                  $ipsecfin .="\tleftupdown=sh /usr/local/tmp/ip.sh\n";

                                  0_1547906566190_2649f0b6-288f-4873-a920-4093a42d43f0-image.png

                                Save

                                1. vpn/ipsec/ mobile client /phase 1/ not to change anything . Click Save, exit

                                2. /diagnostics/edit file /var/etc/ipsec.ipsec.conf
                                  0_1547907106048_10d9505b-2a45-45d7-bdb4-cb7d7a57c24c-image.png

                                Make sure that everything is correct

                                As a result at us at an input of the user "konstanti" the script which gives it the rights of connection only to a host 192.168.15.6 works , other traffic is blocked. No matter what virtual ip it gets.
                                Other users work without restrictions

                                0_1547907688038_4218d0ba-b37f-4782-9200-b243adeb17e7-image.png

                                0_1547908146671_d0a1143a-e8ce-49cb-a2a9-c927664d6387-image.png

                                In your case , we change the username to "engineer ID" and adjust the rules so that it has limited access.
                                This can be done for any user
                                The only caveat that we need to know .
                                With every system update , the file vpn.inc will be overwritten and changes will need to be made again

                                1 Reply Last reply Reply Quote 0
                                • NogBadTheBadN
                                  NogBadTheBad
                                  last edited by

                                  Or you could just use FreeRadius like I suggested and not have to mess about with text files.

                                  Andy

                                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.