Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to narrow access for a openvpn user

    Scheduled Pinned Locked Moved OpenVPN
    rulesopenvpn
    4 Posts 4 Posters 785 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fons
      last edited by

      Hi,

      I need to give acces to a specific client to a specific application on a specific server.
      The only way it works is to use a vpn, in our case openvpn.
      But the way we organised openvpn is that the client would have access to all sources of our site.
      The question therefore is: how can I narrow down the access the client has to just that server and application?
      Should I make a rule to his specific wan ip?
      Or should I make a rule to his openvpn ip?
      And how would a rule look like and were to make: lan side or wan side?
      Love to hear form someone, regards, Fons

      1 Reply Last reply Reply Quote 0
      • seanbullS
        seanbull Banned
        last edited by

        Is it a premium?

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by NogBadTheBad

          @Fons said in how to narrow access for a openvpn user:

          need to give acces to a specific client to a specific application on a specific server.
          The only way it works is to use a vpn, in our case openvpn.
          But the way we organised openvpn is that the client would have access to all sources of our site.
          The question therefore is: how can I narrow down the access the client has to just that server and application?
          Should I make a rule to his specific wan ip?
          Or should I make a rule to his openvpn ip?
          And how would a rule look like and were to make: lan side or wan side?
          Love to hear form someone, regards, Fons

          Give the client a specific IP address and then create firewall rules, an explicit allow to the host they need access to then a explicit deny to anything else from their IP address.

          Make sure the two rules are above the allow any normal OpenVPN clients.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            Added to what @NogBadTheBad said :

            Start up a new OpenVPN server on - example - port 1195.
            Assign this user - his credentials - to this VPN.
            Assign the OpenVPN interface of this instance to an Interface.
            Now you can use this firewall for this interface to fine-grain the access on IP "destination".

            When a user comes in using a VPN, he can access - typically - your LAN(s). But all devices on these LANs have their own access codes.
            The server your user should access has it's own user privileges set up, right ?

            Btw : put your server on a DMZ ....

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.