Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question on OpenVPN restricting IPs

    Scheduled Pinned Locked Moved OpenVPN
    openvpn
    5 Posts 3 Posters 669 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vlee
      last edited by

      Hello,

      We have users using OpenVPN on pfsense.
      I was wondering if there was a way to restrict certain users to only accessing a single IP on our network. Currently these users can access any.

      Thank you!

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        Depending on the amount of users in each category (needing access to anything or only a few IPs), you'd either create a second OpenVPN server instance with another dialup IP range that you can filter.
        Or you can use semi-static IPs based on the client cert or username (with FreeRadius) and create a client specific override if it's only a few hosts. CSOs match the certificate and you can then define what IP in your OVPN tunnel network they should get. Of course that doesn't work well if you allow users to dial in mulitple times with the same credentials/cert package as you can only hand out a single IP.

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by NogBadTheBad

          ^^ this.

          I use IPSec & Freeradius, Freeradius hands out framed-ip addresses based on username and I have firewall rules on the IPSec interface.

          Screenshot 2020-01-29 at 16.38.07.png

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by JeGr

            Right, if you use OpenVPN for Remote Access with FreeRadius on pfSense, you can use those IP Address and Subnet Mask fields, too. They are directly pushed to OpenVPN and the client as you dial in and spares you setting up a OVPN Client Specific Override (CSO) based on a cert. So you can even make that work for OpenVPN RAS scenarios where you only use User/Pass (without certificates) with older clients or remote/IoT devices that don't support them.

            Actually that's one point why I'm propagating the use of FreeRadius together with pfSense' OpenVPN in RAS scenarios, as it's much easier to handle than creating CSOs based on the CN of certificates. Also it minimizes the probability to make configuration errors that would allow VPN users to access pfSense WebUI with their only-for-VPN user when using internal authorization.

            Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @JeGr
              last edited by NogBadTheBad

              @JeGr said in Question on OpenVPN restricting IPs:

              Actually that's one point why I'm propagating the use of FreeRadius together with pfSense' OpenVPN in RAS scenarios, as it's much easier to handle than creating CSOs based on the CN of certificates. Also it minimizes the probability to make configuration errors that would allow VPN users to access pfSense WebUI with their only-for-VPN user when using internal authorization.

              Yeah it's just a bit of a pain adding the users by hand, I did pop a redmine in for a copy function in the Freeradius package a couple of years ago.

              https://redmine.pfsense.org/issues/8031

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.