Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn and firewall for user

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 2 Posters 1.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pino121
      last edited by

      Hello everybody,
      I am new and would like to understand how the firewall works in Openvpn.

      I configured Openvpn created the users and everything works fine.
      I would like to know if it is possible to allow a user to access only and exclusively to some servers and not to all.
      my Pfsense firewall protects twenty servers, users who connect in VPN need to reach only three of these servers, is it possible to set this feature?

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Yes edit your vpn rules to only allow access to the IPs you want.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • P Offline
          pino121
          last edited by

          thanks for you replay, but i not see the source.
          In the source i not see the uservpn
          thanks

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Look on your vpn interface!!

            vpninterface.jpg

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • P Offline
              pino121
              last edited by

              the source not the uservpn?
              source.jpg

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Source would be ANY!!! allow access to what you want in dest.. why would you think there should be a user vpn as source? Anything connect to your vpn would be vpn users ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • P Offline
                  pino121
                  last edited by

                  thanks for you replay

                  i have five vpn users

                  1. user01 can connect to all servers
                  2. user02 can only be connected to the webserver for maintenance
                  3. user03 can only connect to the mail server and the management server
                  4. user04 can be connected to the management system and to the mail server

                  how can I do?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Create client overrides for those clients so they get specific IP, then put that in the firewall rules..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      pino121
                      last edited by

                      @johnpoz said in Openvpn and firewall for user:

                      Create client overrides for those clients so they get specific IP, then put that in the firewall rules..

                      Create client overrides for those clients so they get specific IP, then put that in the firewall rules..????
                      please help me
                      thanks

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-single-multi-purpose-openvpn-instance.html#openvpn-client-specific-overrides

                        Curious question for you... So these users, when they are in the office can they only talk to servers X or Y... Or do they have access to all.. Or are these users never in the office.. I am curious because if you don't not limit them while in the office, why would you limit them while remote..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          pino121
                          last edited by

                          I thank you for your kind reply,
                          I'll explain, ten server pfsense on which there are different software from different vendors.
                          my purpose is to allow the engine 01 to access only its server, while the engine 02 can only access its server for assistance and maintenance.
                          Then there are admin users who can log in to all the servers in the farm
                          ok?

                          I am pleased to tell you that I have not understood how Create client overrides for those clients
                          thanks

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            An override for specific vpn user... Here my worklaptop always gets this IP for example..

                            override.jpg

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            1 Reply Last reply Reply Quote 0
                            • P Offline
                              pino121
                              last edited by

                              Hi, thanks it works.
                              I have only one problem if in the openvpn firewall rules I want to target two or more IPs it is not possible, I should make two different rules.

                              Quite right?

                              thanks

                              Firewall01.jpg

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Huh? Yes you would need to assign IPs to your different vpn clients. You can either do multiple rules or use an alias to have multiple IPs in your rules..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.