Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Limiting scope of openVPN access

    OpenVPN
    3
    15
    7074
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      arstacey last edited by

      I have successfully set up the openVPN module to allow vpn users access to the local lan, and it works perfectly with the windows installer.  Is there a way for me to limit these users to just one machine?  For example, I want to give an employee vpn access so he can rdp into his desktop when he is on the road BUT I do not want him to be able to access anything else on the lan?  Is this possible to do?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        You can limit that with firewall rules on the OpenVPN tab in 2.0

        To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke last edited by

          @jimp:

          You can limit that with firewall rules on the OpenVPN tab in 2.0

          To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)

          How could I assign a Client a static IP.

          OpenVPN Server tunnel network ist 10.0.0.0/24
          Should I have to enter this network in client specific override, too or is THIS the point where I have to enter 10.0.0.4/30 which means:
          netmask: 10.0.0.4
          server: 10.0.0.5
          client: 10.0.0.6
          BC: 10.0.0.7

          PS: If I push any routes on OpenVPN Server but not on Client specific overrides, will the client get this routes or not ? What is with other option like domain, ntp. Do I have to configure this twice ?

          Thanks for your feedback

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            You are safest just to refer to the whole /30 in firewall rules. When you set the IP for the client, you need to use, for example: 10.0.0.4/30 like you had.

            The addressing in OpenVPN is covered a bit here:
            http://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses%3F

            The client will get all settings from the server as usual, just on their static IP. If you want to stop the user from getting the pushed routes and settings, you can check "Prevent this client from receiving any server-defined client settings." on the override.

            1 Reply Last reply Reply Quote 0
            • A
              arstacey last edited by

              Thanks jimp. Do you see any limits on how many people I can set up this way?  Down the road, we may have as many as 500 users who are on the road, and I want to give each user a vpn that only accesses their own virtual desktop.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Just use a large enough subnet to accommodate your users * 4. So in your case, ~512*4=2048 IPs, So a /21 or a /20's worth of IPs in any of the private blocks would work.

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke last edited by

                  Hi,

                  I noticed some problems with "Client Specific overrides".

                  I am using an OpenVPN Server with Tunnel Network 10.0.1.0/24

                  I tried with Client specific override tunnel network of 10.0.2.120/30

                  The Client could connect to the server but got no access. Thats ok, because of the wrong subnet.
                  Ok, I then deleted the complete client specific override for this clien/CN, restarted the OpenVPN Server but the client still got the IP of the 10.0.2.120/30 subnet.

                  I created again an client specific override for this client/CN and didn't choose any tunnel network (so it used the servers default) and then it conneted fine and got an IP of the 10.0.1.0/24 subnet.

                  Did I something wrong ?!

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    Yes, the static IPs for overrides must be within the tunnel network.

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke last edited by

                      @jimp:

                      Yes, the static IPs for overrides must be within the tunnel network.

                      Yes, I wrote that in my previous post I think.

                      What I want so say is:

                      If I create an override for a client the override is working.
                      If I delete the override completely, than the override still exists.

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke last edited by

                          @jimp:

                          You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

                          Thanks. Good to know that but I restarted the OpenVPN Server after I did any changes.

                          –-- EDIT ----

                          I tested it again:

                          Restarting OpenVPN Server
                          OpenVPN-Server Tunnel Network is: 10.0.1.0/24
                          Client Specific Override Tunnel Network: 10.0.1.180/30
                          Restarting OpenVPN Server
                          Connecting Client
                          This is working. Clients IP is after connecting to the server: 10.0.1.181/30
                          Disconnecting client
                          Deleting Client specific override
                          Restarting server
                          Connecting Client
                          This is working. Client IP is still 10.0.1.181/30

                          I attached some screenshots.






                          1 Reply Last reply Reply Quote 0
                          • jimp
                            jimp Rebel Alliance Developer Netgate last edited by

                            Does the file for that cn still exist in /var/etc/openvpn-csc?

                            1 Reply Last reply Reply Quote 0
                            • N
                              Nachtfalke last edited by

                              Yes ist does exist:

                              ifconfig-push 10.0.1.181 10.0.1.182
                              
                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by

                                I just pushed a fix, should be in new snaps soon

                                1 Reply Last reply Reply Quote 0
                                • N
                                  Nachtfalke last edited by

                                  Hi,
                                  it is working now for me now as expected.
                                  I am using 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011

                                  Thanks jimp!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post

                                  Products

                                  • Platform Overview
                                  • TNSR
                                  • pfSense
                                  • Appliances

                                  Services

                                  • Training
                                  • Professional Services

                                  Support

                                  • Subscription Plans
                                  • Contact Support
                                  • Product Lifecycle
                                  • Documentation

                                  News

                                  • Media Coverage
                                  • Press
                                  • Events

                                  Resources

                                  • Blog
                                  • FAQ
                                  • Find a Partner
                                  • Resource Library
                                  • Security Information

                                  Company

                                  • About Us
                                  • Careers
                                  • Partners
                                  • Contact Us
                                  • Legal
                                  Our Mission

                                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                  Subscribe to our Newsletter

                                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                  © 2021 Rubicon Communications, LLC | Privacy Policy