Two OpenVPN instances radius authorization via group membership



  • Hi,

    I'm running pfSense 2.4.4p3 with two OpenVPN instances for two different types of users. Users are being authenticated via Radius. There are different packet filter rules for each VPN which is why there are two different OpenVPN instances in the first place.

    Both OpenVPN services are Remote Access SSL/TLS + user auth configuration in tun mode but on different ports on the public facing interface.
    The only thing that prevents users from using the OTHER VPN service is due to the facts that I'm also using a static TLS key.

    Can I somehow define some kind of authorization so that one group of users is only allowed to connect to OpenVPN service on port 1194 (vpnA) while the other group may only use the service on port 1195 (vpnB)?

    This is how the users file in radius looks like:

    username SHA2-Password := 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
    Class := "vpnA"
    username SHA2-Password := 481f6cc0511143ccdd7e2d1b1b94faf0a700a8b49cd13922a70b5ae28acaa8c5
    Class := "vpnB"
    

  • Rebel Alliance Developer Netgate

    That would be up to the RADIUS server. Capture and check requests from each OpenVPN instance and look for attributes that are unique there which it could use to distinguish between the two (e.g. Calling-Station-Id). Or setup two Authentication Server entries on pfSense pointing to the same server but with different RADIUS NAS IP Attribute settings.

    Then in your RADIUS config you should be able to tell it to only authorize a user if they match along with whatever other attribute you decide to use.


Log in to reply