OVPN Single site, multiple remote users



  • Hello forum
    I posted my question at this link, because the spam blocker won't let me post directly here.
    https://imgur.com/a/DuXs9LF
    Sorry I can't do it a-better-way.
    Thanks for any replies.



  • Hi,

    So you have OpenVPN, using the OpenVPN server on pfSense working.
    OpenVPN Clients will have access to your company LAN, that host these PC's.

    If every user has the Windows user credentials of their own PC, they should be able to login, using RDP, into their own PC - and not the other PC's ... right ?

    Never tried, but it might be possible to give every OpenVPN user a dedicated 'fixed' IP on the VPN tunnel network.
    Like DCP versus satic IP.
    Then you could make a firewall rule on the OpenVPN firewall interface that 'locks' every connected VPN user to their PC only.



  • Yes, that about sums it up.
    OpenVPN is up and running.
    Everyone knows how to login to their own Windoze boxen.
    Right now I'm hoping all the users can connect via the 10.1.1.0/24 subnet, and login to their windoze.
    One-to-one mapping between remote users and their personal desktops is the objective.
    TIA's for any clues or tips.


  • LAYER 8 Rebel Alliance

    With CSOs (Client Specific Overrides) you can bind Users to a fixed IP address inside your OpenVPN tunnel network.
    After that you can go crazy with the Rules per User like I do. 😁
    pfSense_OpenVPN_User-Rules.png
    You can also group Users with Firewall Aliases and use them in Firewall Rules, depends on how complex your setup is.

    -Rico



  • @Rico said in OVPN Single site, multiple remote users:

    With CSOs (Client Specific Overrides) you can bind Users to a fixed IP address inside your OpenVPN tunnel network.

    Thanks for the reply. I'll do some review, reading, research of CSO's.



  • @Rico
    Thanks for suggestion.
    That works really nicely. Just like having a DHCP server handing out "static" IP addresses, in the OpenVPN subnet.
    I give you a thumbs up.


Log in to reply