Remove OpenVPN access admin
-
Is it possible to remove OpenVPN access from the "Admin" or other users?
Looking to configure admins but want separate OpenVPN login and firewall login.
-
@denverdesktopssupport
You could disable the Admin account (as many of us do).Alternatively you could just not distribute that OVPN client config - that's the most effective way to stop users.
To keep OVPN users from accessing the GUI you can do that through Firewall rules - but that will block all users on OVPN. In that situation I would use a different VPN for administration.
-
@denverdesktopssupport said in Remove OpenVPN access admin:
Looking to configure admins but want separate OpenVPN login and firewall login.
You could assign specific users with an IP using Radius and build firewall rules on that.
You could create another OpenVPN server , new pool, and the admins log into that? -
If you use SSL/TLS with certs and auth you can enable strict username/cn matching and then just not issue a cert for the users you don't want to connect.
If you are using SSL/TLS with only user auth and want to use local database users you can also do this:
- Ensure "Username as common name" is enabled on the server
- Create a client-specific override for the name you want to block configured as follows
- Description: "Block admin" (or whatever you want)
- Common Name:
admin - Block this client connection based on its common name: *checked
Otherwise, external auth setups like RADIUS or LDAP are a fine choice to define only the users you want to allow.
-
@jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs.
-
@michmoor said in Remove OpenVPN access admin:
@jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs.
Sure, you just import the CA cert (not the key) and the server cert on the firewall, then pick those in OpenVPN. The other certs never need to touch the firewall, they only need to validate against the chosen CA.
