Restricting specific users to specific OpenVPN instances



  • I'm having an issue restricting user access to specific instances of OpenVPN.

    In my current setup, I have two instances of OpenVPN running- privileged and unprivileged. I would like to restrict privileged to one instance and unprivileged to another; that is priveleged cannot login as unprivileged and vice versa. Right now though, both users can login to both servers, which is a problem.

    I have tried to implement this partitioning by configuring each OpenVPN server with separate Peer Certificate Authorities and separate Server Certificates. I would have thought this might work, since I have entirely different CAs specified for privileged and unprivileged, but so far, to no avail.

    Any thoughts?

    Also, as an aside, what is the best practices recommendation for muliuser OpenVPN? Should I have multiple instances with different permissions, or one instance with Client Specific Overrides?

    Thank you



  • @sparkman123 said in Restricting specific users to specific OpenVPN instances:

    I have tried to implement this partitioning by configuring each OpenVPN server with separate Peer Certificate Authorities and separate Server Certificates. I would have thought this might work, since I have entirely different CAs specified for privileged and unprivileged, but so far, to no avail

    It should work fine this way. I'm running five OpenVPN server wtih five different CAs on one pfSense box and users are able to connect to only one server.
    Create a CA for each server, create the server cert and assign it to the specific server. Create the users certs for the users who should be able to connect that server from the CA which is defined in the servers settings. So only users with a cert from that CA are able to connect.

    @sparkman123 said in Restricting specific users to specific OpenVPN instances:

    Should I have multiple instances with different permissions, or one instance with Client Specific Overrides?

    Both ways a doable and should work for you.



  • you could use a remote directory, apply different groups to each server


Log in to reply