Limit VPN user access to IP and Port



  • Is it possible to limit certain VPN users to only have access to a specific IP and specific Port?

    For example, "JohnDoe" logs in remotely using OpenVPN. He is only allowed to access MS RDP by connecting to the workstation IP "192.168.1.153" on port "3389". Connections to any other IP address on the LAN or WAN will be blocked. Connecting to any port besides 3389 is not allowed.

    There are multiple users that have similar rules. I'd rather not have filter rules set up static IP addresses if users are able to change their IP address.



  • Can you group those users?
    If so, you can setup multiple OpenVPN servers, one for each group.
    Then create firewall rules for each group.

    If don't want groups, you have to assign static tunnel IPs for those restricted clients and create rules based on client tunnel IPs.

    Use topology subnet, it's easier (there is no need for for net30 anymore).
    Do assign the VPN interfaces and leave the default OpenVPN tab empty in both cases.



  • Is there a VPN setting to assign a certain IP addres to a certain user?



  • @emsjessec
    You can do that by CSO (VPN > OpenVPN > Client Specific Overrides). However, that requires either SSL/TLS auth (client certificates) or a RADIUS server for client authentication.
    Then you can assign a unique IP to a certain common name in the CSO.



  • @viragomann

    Is a common name a VPN user name? Each VPN user has their own certificate. Each certificate was created by the router and not from a certificate authority.

    Once users connect to the VPN on a unique IP using the CSO, can they change their static IP address in the network adapter properties?



  • The common name in the CSO has to be the common name from the client certificate (usually that's the same as the user name).

    It doesn't matter, where the client certs are from, but pfSense must know them (they must be imported if they are from outside).

    No, if the client changes his IP no traffic will flow over the VPN.



  • So would the common name be: verify-x509-name "Open VPN Server Cert" from the .ovpn file?



  • This is the solution that worked

    1. Get the username under: System > User Manager. It's the common name.
    2. VPN > OpenVPN > Client Specific Overrides
    3. Click Green plus
    4. Under Advanced enter the static IP: ifconfig-push 192.168.2.99 255.255.255.0;
    5. Firewall -> Rules -> OpenVPN
    6. Add rule with Action "Pass" on Interface "OpenVPN"
    7. Enter "Source" as the IP address 192.168.2.99
    8. Enter "Destination" as the IP to grant access, such as 192.168.1.53
    9. Set Port to MS RDP 3389
    10. Save
    11. Add another rule with Action "Block" and Interface "OpenVPN"
    12. Set source to the VPN static IP: 192.168.2.99
    13. Destination is set to "any"
    14. Save
    15. Make sure the "Pass" rule you added is above the "Block" rule

Log in to reply