• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Remove OpenVPN access admin

Scheduled Pinned Locked Moved OpenVPN
6 Posts 4 Posters 960 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DenverDesktopsSupport
    last edited by Apr 22, 2023, 2:44 PM

    Is it possible to remove OpenVPN access from the "Admin" or other users?

    Looking to configure admins but want separate OpenVPN login and firewall login.

    R M 2 Replies Last reply Apr 22, 2023, 2:57 PM Reply Quote 0
    • R
      rcoleman-netgate Netgate @DenverDesktopsSupport
      last edited by rcoleman-netgate Apr 23, 2023, 10:03 PM Apr 22, 2023, 2:57 PM

      @denverdesktopssupport
      You could disable the Admin account (as many of us do).

      Alternatively you could just not distribute that OVPN client config - that's the most effective way to stop users.

      To keep OVPN users from accessing the GUI you can do that through Firewall rules - but that will block all users on OVPN. In that situation I would use a different VPN for administration.

      Ryan
      Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
      Requesting firmware for your Netgate device? https://go.netgate.com
      Switching: Mikrotik, Netgear, Extreme
      Wireless: Aruba, Ubiquiti

      1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @DenverDesktopsSupport
        last edited by Apr 23, 2023, 12:00 AM

        @denverdesktopssupport said in Remove OpenVPN access admin:

        Looking to configure admins but want separate OpenVPN login and firewall login.

        You could assign specific users with an IP using Radius and build firewall rules on that.
        You could create another OpenVPN server , new pool, and the admins log into that?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 1
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Apr 24, 2023, 12:55 PM

          If you use SSL/TLS with certs and auth you can enable strict username/cn matching and then just not issue a cert for the users you don't want to connect.

          If you are using SSL/TLS with only user auth and want to use local database users you can also do this:

          • Ensure "Username as common name" is enabled on the server
          • Create a client-specific override for the name you want to block configured as follows
            • Description: "Block admin" (or whatever you want)
            • Common Name: admin
            • Block this client connection based on its common name: *checked

          Otherwise, external auth setups like RADIUS or LDAP are a fine choice to define only the users you want to allow.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          M 1 Reply Last reply Apr 24, 2023, 4:40 PM Reply Quote 1
          • M
            michmoor LAYER 8 Rebel Alliance @jimp
            last edited by Apr 24, 2023, 4:40 PM

            @jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            J 1 Reply Last reply Apr 25, 2023, 12:16 PM Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate @michmoor
              last edited by Apr 25, 2023, 12:16 PM

              @michmoor said in Remove OpenVPN access admin:

              @jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs.

              Sure, you just import the CA cert (not the key) and the server cert on the firewall, then pick those in OpenVPN. The other certs never need to touch the firewall, they only need to validate against the chosen CA.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received