Limit VPN user access to IP and Port



  • Is it possible to limit certain VPN users to only have access to a specific IP and specific Port?

    For example, "JohnDoe" logs in remotely using OpenVPN. He is only allowed to access MS RDP by connecting to the workstation IP "192.168.1.153" on port "3389". Connections to any other IP address on the LAN or WAN will be blocked. Connecting to any port besides 3389 is not allowed.

    There are multiple users that have similar rules. I'd rather not have filter rules set up static IP addresses if users are able to change their IP address.



  • Can you group those users?
    If so, you can setup multiple OpenVPN servers, one for each group.
    Then create firewall rules for each group.

    If don't want groups, you have to assign static tunnel IPs for those restricted clients and create rules based on client tunnel IPs.

    Use topology subnet, it's easier (there is no need for for net30 anymore).
    Do assign the VPN interfaces and leave the default OpenVPN tab empty in both cases.



  • Is there a VPN setting to assign a certain IP addres to a certain user?



  • @emsjessec
    You can do that by CSO (VPN > OpenVPN > Client Specific Overrides). However, that requires either SSL/TLS auth (client certificates) or a RADIUS server for client authentication.
    Then you can assign a unique IP to a certain common name in the CSO.



  • @viragomann

    Is a common name a VPN user name? Each VPN user has their own certificate. Each certificate was created by the router and not from a certificate authority.

    Once users connect to the VPN on a unique IP using the CSO, can they change their static IP address in the network adapter properties?



  • The common name in the CSO has to be the common name from the client certificate (usually that's the same as the user name).

    It doesn't matter, where the client certs are from, but pfSense must know them (they must be imported if they are from outside).

    No, if the client changes his IP no traffic will flow over the VPN.


Log in to reply