VPN access for specific user only

osnaabay

Hi Guys,

I created a CA, Server Cert and User Cert (under User Manager for this specific user), Server under Open VPN, and all of the needed certification and firewall rules configuration for SSL VPN, then exported the Inline Configuration (Most Clients). Logged in using the user's account and tried to access the server, it works fine. But when I tried to login using a different user, it also works. Why is that? I also tried to export other configurations, but I encountered issues when logging in. Like it is looking for the CA, etc.

FYI, there are users that have specific access on the servers, and we want them to login and access these servers based on their account. Unfortunately, since there is only 1 IPv4 Tunnel Network, it will be troublesome to create different Tunnel Network for almost 500 users.

We removed the connection to LDAP because we encountered issues when we reboot the machine, it cannot find the LDAP server even when it is working fine before the reboot. So now all of the users are locally databased.

How can we separate or restrict user's access using the VPN configuration? I know that we should give users each Inline Configurations, but what if there is someone get the configuration file, they can login using that. Our other firewall, (Sophos UTM), even if you have the VPN configuration, you cannot login if that configuration is not created under your username.

Below are the details of our Pfsense firewall.

Version 2.8.1-RELEASE (amd64)
built on Tue Dec 16 1:31:00 PST 2025
FreeBSD 15.0-CURRENT

The system is on the latest version.
Version information updated at Tue Mar 24 19:34:44 PST 2026

AES-NI CPU Crypto: No
QAT Crypto: No
Hardware crypto Inactive
Kernel PTI Enabled
MDS Mitigation Inactive

Hope someone can help us. Thank you very much in advanced.

Apologies for the very bad grammar.

Gertjan

This :
@osnaabay said in VPN access for specific user only:

I created a CA, Server Cert and User Cert (under User Manager for this specific user),

and then selecting :

or Remote Access (SSL/TLS + User Auth) checks the CA and certificate you've assigned to that specific user.
Another user, using the same User + apswword (if you use these also can ot access the server, as this user has another certificate.
You have to create a VPN server user account for every user, create a certificate for every user, and then under "Client Export" export a unique ovpn VPN file for every user.
These files will all be unique : have their own unique certicate.

Under the pfSense user manager, for every created VPN remote access user, I have a unique :

All OpenVPN remote Access Server users have the main "CA" (mine is called "CA openvpn") in common.

So, for me, this means :

@osnaabay said in VPN access for specific user only:

But when I tried to login using a different user, it also works

that your OpenVPN server doesn't use SSL/TLS as an access method.

osnaabay

@Gertjan

Thank you for your help and respond.

Apologies for the very late reply. We've been busy for this firewall migration.

I already set the Server Mode before to Remote Access (SSL/TLS + User Auth), that is where the first issue comes from. Where: Any users can login using the Inline Configuration file even if the other user doesn't have any User Certificate configured in their account.

I changed the setting to Remote Access (SSL/TLS), now the problem is, anyone can login since there are no username and password.

I also noticed, there is no DCO option in the Mode Configuration on our Pfsense, you can see on my screenshot.

Another issue, since there is no configuration for user only firewall rules (where: using the users account, you can create firewall rule to allow/deny users, just like in any other firewall devices), I cannot filter the VPN users to create firewall policies for each account. I can do this in Sophos UTM firewall, regardless of what their VPN network will be.

Hope you can help me or anyone in this community.

Thank you so much.

Gertjan

@osnaabay said in VPN access for specific user only:

I also noticed, there is no DCO option in the Mode Configuration on our Pfsense, you can see on my screenshot.

That's just an option. Probably "pfSense Plus only" ?

@osnaabay said in VPN access for specific user only:

I changed the setting to Remote Access (SSL/TLS), now the problem is, anyone can login since there are no username and password.

SSL/TLS means : login is possible if the OpenVPN client communicates certificates that match. As every user has its own 'private' certs ....
Certificates are just very big numbers that replace user names and passwords just fine. So instead of what, 20 or 30 characters combined (user + password), you have 512+ unique characters (== certificates) for every user.
Every OpenVPN user uses is private opvn file, the one you exported and send them.

Example : I have a PC portable, called 'leno' and an iPhone called "iPhone12", so I created exported an ovpn for every device :

Btw : I use my OpenVPN remote access as a 'admin' access. I do not want to use 'Freeradius' as a authenticating source, as : what happens if there are issues and Freeradius is out if business ? : then I cant' login .... and have to take the car to go to my work.
I decided to apply the KIS rule for my OpenVPN server access : I use the pfSense user manager, not FreeRadius.

@osnaabay said in VPN access for specific user only:

using the users account, you can create firewall rule to allow/deny users

Firewall rules based upon users, logged in users ?
True : if you use FreeRadius, you can assign a unique OpenVPN tunnel IP to every user. As their IP individual IP is known, you can make rules for them individually.
There was a forum thread (in the past) that was asking how to set that up : a dedicated IP for every OpenVPN connected user. I don’t use this myself, but I know its possible.

osnaabay

@Gertjan

Thank you again for your response.

How about this part?

---

I already set the Server Mode before to Remote Access (SSL/TLS + User Auth), that is where the first issue comes from. Where: Any users can login using the Inline Configuration file even if the other user doesn't have any User Certificate configured in their account.

Example: I created a User Certificate for User1, then created Server under VPN -> OpenVPN -> Servers. Then I exported the Inline Configuration and tested it with OpenVPN client by logging in User1, it is working as expected. Then when I tried to login using User2, which has no User Certificate, it still can login. Why is that? I expect that User2 should not be able to login.

Thank you again in advance.

Gertjan

@osnaabay said in VPN access for specific user only:

Then when I tried to login using User2

Where does the client config for User2 come from ?
Did you exported it from "known OpenVPN clients " list ( see above ) ?

Compare the User2 opvn file with the one from User1.

---

When you set up a OpenVPN server like this :

and then, when selecting this server under Export :

you can only have "Certicate" type users, like :

Note : I'm not use Auth with User name and passwords, just the certs, so SSL/TLS only.

osnaabay

@Gertjan

Where does the client config for User2 come from ?

• I used the User1 client config. What I did to test was I logged out User1 then logged in User2 without changing anything.

Did you exported it from "known OpenVPN clients " list ( see above ) ?

• Nope.

I did what in the configuration you showed, but I still can login User2 even if I only use the configuration for User1.

Gertjan

@osnaabay said in VPN access for specific user only:

Nope.

Lol.

Every OpenVPN user, where every user has its own certificate, should have its own 'ovpn' file, which contains his unique certificate.
User1 should user1's config file
User2 should user2's config file
etc.

Right now, you 'complain' that user2, using1's credentials, can login with user1's access.
User2 should use the user2 config

osnaabay

@Gertjan

Right now, you 'complain' that user2, using1's credentials, can login with user1's access.
User2 should use the user2 config

• That's the reason why I wonder why User2 can use the config of User1 even though they have different credential.

Example:

User1's password is Welcome01
User2's password is Welcome02

But User2 can use the Inline Configuration of User1. This means that every user can use the Inline Configuration of User1. I also tried another user and it also can login. Isn't should be only User1 can use its own Inline Configuration?

Gertjan

@osnaabay

So you're back to (SSL/TLS + User auth) ?
Because (SSL/TLS), what I use doesn't ask for a user name and password.

I'll switch (tomorrow) to (SSL/TLS + User auth) also, recreate two new opvn client files, after add ing password for two VPN users, install them on two devices, and check if I can reproduce this.

For now, I tend to say : User2 can't access with user1's login, as user2 can't know the user1's password ^^
edit : wait : you mean User2 can login login with the user name "User1" and the password of user1 ? That would be strange indeed, because the certificate in the ovpn profile of user2 has to match user2's certificate also, not the one of User1. ..... is that your issue ?

osnaabay

@Gertjan

So you're back to (SSL/TLS + User auth) ?

• Yes.

Because (SSL/TLS), what I use doesn't ask for a user name and password.

• The problem when I use SSL/TLS only, User2 can login using User1's certificate.

wait : you mean User2 can login login with the user name "User1" and the password of user1 ?

• Nope. I'll explain again, apologies for my bad grammar.
  User1 and User2 use their own username and password when logging in. The only one with User Certificate is User1. So as expected, I can login using User1 in the OpenVPN client, but when I log out and login using User2, I can still login. I expect that User2 shouldn't be able to login because:

1. It is User1's User Certificate from Inline Configuration
2. There is no User Certificate for User2 (or any other users)

osnaabay

Hi @Gertjan

I figured out the problem, I didn't enable the Strict User-CN Matching.

It is all goods now.

Thank you so much.

Gertjan

@osnaabay said in VPN access for specific user only:

The problem when I use SSL/TLS only, User2 can login using User1's certificate.

User2 doesn't have the certificate of User1.
The idea is that you, as the admin, give User2 the ovpn file of User2, not User1 ;)

@osnaabay said in VPN access for specific user only:

There is no User Certificate for User2 (or any other users)

Can't be.
When you use / switch to :

You have to re export all the config files for all the users.
Every ovpn config file will contain the certificate of that user, and these certificates will be unique.
You can see them here / these are the 4 remote access VPN users :

and, every VPN user should ahve a certicate assigned / generated :

and you can see the certs here, under System > Certificates > Certificates :

About :

I've that one checked as it without giving much thought about it.
It says :

Verify that only hosts with a client certificate can connect (EKU: "TLS Web Client Authentication").

and because I have selected ( SSL/TLS ...) which means (imho) every user has to present have a certificate. Otherwise ( SSL/TLS...) doesn't make sense. I presume that if a user doesn't present a certificate, it shouldn't even be able to login.
I have to check that, as you stated the other way around : login is ok when the server uses ( SSL/TLS ...) and the client doesn’t' give (has) a certificate ...

@osnaabay said in VPN access for specific user only:

Nope. I'll explain again, apologies for my bad grammar.

No issues with that.
I live in France, native Dutch, butchering the English language every day.

osnaabay

@Gertjan

Ah haha Noted.

And thank you so much for the help.