• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Allow VPN user to access specific VLAN instead of all

Scheduled Pinned Locked Moved OpenVPN
5 Posts 2 Posters 235 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Stp
    last edited by Mar 12, 2025, 2:13 PM

    Hello,

    My network is composed by 2 Vlan:

    vlan 1 client: 172.16.2.0/24
    vlan 100 mgmt: 172.16.100.0/24

    I created a OpenVPN for 5 users and 1 for me as admin.
    in the OpenVPN server i have entered 172.16.2.0/24 and 172.16.100.0/24, so all the networks.

    I discovered that using Client specific overrides i can manage all the users access to the different vlan but i don't understand how, i tried something but still not works.

    My goal is to give access to the vlan 1 to all the 5 users, and give my user access to all vlans.

    Also my firewall rules on the VPN interface are the classic "allow all", so maybe i have to change something also there.

    Thanks for help
    Best regards

    V 1 Reply Last reply Mar 12, 2025, 9:14 PM Reply Quote 0
    • V
      viragomann @Stp
      last edited by Mar 12, 2025, 9:14 PM

      @Stp
      It is sufficient to create a client specific override for you only. State a high tunnel IP, because the server allocates IPs from the lowest upwards.

      Then change the firewall rule on the VPN interface to allow only access to 172.16.2.0/24.
      And add an additional rule below for your source IP according the CSO and 172.16.100.0/24 as destination.

      Note, that this is not bullet-proof, since the CSO does not make a reservation for you. To ensure that the tunnel pool doesn't get filled up with multiple connections of other users, you can limit the number of connections for each in the server settings.

      1 Reply Last reply Reply Quote 0
      • S
        Stp
        last edited by Mar 14, 2025, 2:30 PM

        @viragomann
        Thank you for the reply,

        I tried to change rules in the VPN interface and it works, but the connection with the MGMT net is not working, probably i configured the CSO uncorrectly.

        my configuration is composed by:
        Common name (my username)
        OpenVPN server selected
        ipv4 tunnel network 10.10.10.0/24 (same as the openVPN tunnel)
        Ipv4 local network 172.16.100.0/24
        ipv4 remote network unconfigured (i want to connect from different places not only from one)
        that's it

        i also tried to create push route but didn't work
        any ideas?

        V 1 Reply Last reply Mar 14, 2025, 2:48 PM Reply Quote 0
        • V
          viragomann @Stp
          last edited by Mar 14, 2025, 2:48 PM

          @Stp said in Allow VPN user to access specific VLAN instead of all:

          ipv4 tunnel network 10.10.10.0/24 (same as the openVPN tunnel)

          That's useless. You need to state a single IP in CIDR notation here.
          If 10.10.10.0/24 is your tunnel network enter 10.10.10.239/24 or somewhat similar.

          1 Reply Last reply Reply Quote 0
          • S
            Stp
            last edited by Mar 14, 2025, 3:04 PM

            @viragomann

            Thank you so much, i didn't understand that i needed a IP "reservation" in the tunnel, so i can create a new rule allowing access to the MGMT network.

            now everything is fine.
            🙏

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received