how to narrow access for a openvpn user



  • Hi,

    I need to give acces to a specific client to a specific application on a specific server.
    The only way it works is to use a vpn, in our case openvpn.
    But the way we organised openvpn is that the client would have access to all sources of our site.
    The question therefore is: how can I narrow down the access the client has to just that server and application?
    Should I make a rule to his specific wan ip?
    Or should I make a rule to his openvpn ip?
    And how would a rule look like and were to make: lan side or wan side?
    Love to hear form someone, regards, Fons


  • Banned

    Is it a premium?


  • Galactic Empire

    @Fons said in how to narrow access for a openvpn user:

    need to give acces to a specific client to a specific application on a specific server.
    The only way it works is to use a vpn, in our case openvpn.
    But the way we organised openvpn is that the client would have access to all sources of our site.
    The question therefore is: how can I narrow down the access the client has to just that server and application?
    Should I make a rule to his specific wan ip?
    Or should I make a rule to his openvpn ip?
    And how would a rule look like and were to make: lan side or wan side?
    Love to hear form someone, regards, Fons

    Give the client a specific IP address and then create firewall rules, an explicit allow to the host they need access to then a explicit deny to anything else from their IP address.

    Make sure the two rules are above the allow any normal OpenVPN clients.



  • Added to what @NogBadTheBad said :

    Start up a new OpenVPN server on - example - port 1195.
    Assign this user - his credentials - to this VPN.
    Assign the OpenVPN interface of this instance to an Interface.
    Now you can use this firewall for this interface to fine-grain the access on IP "destination".

    When a user comes in using a VPN, he can access - typically - your LAN(s). But all devices on these LANs have their own access codes.
    The server your user should access has it's own user privileges set up, right ?

    Btw : put your server on a DMZ ....


Log in to reply