Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow VPN user to access specific VLAN instead of all

    OpenVPN
    2
    5
    152
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stp
      last edited by

      Hello,

      My network is composed by 2 Vlan:

      vlan 1 client: 172.16.2.0/24
      vlan 100 mgmt: 172.16.100.0/24

      I created a OpenVPN for 5 users and 1 for me as admin.
      in the OpenVPN server i have entered 172.16.2.0/24 and 172.16.100.0/24, so all the networks.

      I discovered that using Client specific overrides i can manage all the users access to the different vlan but i don't understand how, i tried something but still not works.

      My goal is to give access to the vlan 1 to all the 5 users, and give my user access to all vlans.

      Also my firewall rules on the VPN interface are the classic "allow all", so maybe i have to change something also there.

      Thanks for help
      Best regards

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Stp
        last edited by

        @Stp
        It is sufficient to create a client specific override for you only. State a high tunnel IP, because the server allocates IPs from the lowest upwards.

        Then change the firewall rule on the VPN interface to allow only access to 172.16.2.0/24.
        And add an additional rule below for your source IP according the CSO and 172.16.100.0/24 as destination.

        Note, that this is not bullet-proof, since the CSO does not make a reservation for you. To ensure that the tunnel pool doesn't get filled up with multiple connections of other users, you can limit the number of connections for each in the server settings.

        1 Reply Last reply Reply Quote 0
        • S
          Stp
          last edited by

          @viragomann
          Thank you for the reply,

          I tried to change rules in the VPN interface and it works, but the connection with the MGMT net is not working, probably i configured the CSO uncorrectly.

          my configuration is composed by:
          Common name (my username)
          OpenVPN server selected
          ipv4 tunnel network 10.10.10.0/24 (same as the openVPN tunnel)
          Ipv4 local network 172.16.100.0/24
          ipv4 remote network unconfigured (i want to connect from different places not only from one)
          that's it

          i also tried to create push route but didn't work
          any ideas?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Stp
            last edited by

            @Stp said in Allow VPN user to access specific VLAN instead of all:

            ipv4 tunnel network 10.10.10.0/24 (same as the openVPN tunnel)

            That's useless. You need to state a single IP in CIDR notation here.
            If 10.10.10.0/24 is your tunnel network enter 10.10.10.239/24 or somewhat similar.

            1 Reply Last reply Reply Quote 0
            • S
              Stp
              last edited by

              @viragomann

              Thank you so much, i didn't understand that i needed a IP "reservation" in the tunnel, so i can create a new rule allowing access to the MGMT network.

              now everything is fine.
              🙏

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.