Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiting scope of openVPN access

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 3 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      arstacey
      last edited by

      I have successfully set up the openVPN module to allow vpn users access to the local lan, and it works perfectly with the windows installer.  Is there a way for me to limit these users to just one machine?  For example, I want to give an employee vpn access so he can rdp into his desktop when he is on the road BUT I do not want him to be able to access anything else on the lan?  Is this possible to do?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can limit that with firewall rules on the OpenVPN tab in 2.0

        To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          @jimp:

          You can limit that with firewall rules on the OpenVPN tab in 2.0

          To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)

          How could I assign a Client a static IP.

          OpenVPN Server tunnel network ist 10.0.0.0/24
          Should I have to enter this network in client specific override, too or is THIS the point where I have to enter 10.0.0.4/30 which means:
          netmask: 10.0.0.4
          server: 10.0.0.5
          client: 10.0.0.6
          BC: 10.0.0.7

          PS: If I push any routes on OpenVPN Server but not on Client specific overrides, will the client get this routes or not ? What is with other option like domain, ntp. Do I have to configure this twice ?

          Thanks for your feedback

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You are safest just to refer to the whole /30 in firewall rules. When you set the IP for the client, you need to use, for example: 10.0.0.4/30 like you had.

            The addressing in OpenVPN is covered a bit here:
            http://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses%3F

            The client will get all settings from the server as usual, just on their static IP. If you want to stop the user from getting the pushed routes and settings, you can check "Prevent this client from receiving any server-defined client settings." on the override.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              arstacey
              last edited by

              Thanks jimp. Do you see any limits on how many people I can set up this way?  Down the road, we may have as many as 500 users who are on the road, and I want to give each user a vpn that only accesses their own virtual desktop.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Just use a large enough subnet to accommodate your users * 4. So in your case, ~512*4=2048 IPs, So a /21 or a /20's worth of IPs in any of the private blocks would work.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  Hi,

                  I noticed some problems with "Client Specific overrides".

                  I am using an OpenVPN Server with Tunnel Network 10.0.1.0/24

                  I tried with Client specific override tunnel network of 10.0.2.120/30

                  The Client could connect to the server but got no access. Thats ok, because of the wrong subnet.
                  Ok, I then deleted the complete client specific override for this clien/CN, restarted the OpenVPN Server but the client still got the IP of the 10.0.2.120/30 subnet.

                  I created again an client specific override for this client/CN and didn't choose any tunnel network (so it used the servers default) and then it conneted fine and got an IP of the 10.0.1.0/24 subnet.

                  Did I something wrong ?!

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Yes, the static IPs for overrides must be within the tunnel network.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      @jimp:

                      Yes, the static IPs for overrides must be within the tunnel network.

                      Yes, I wrote that in my previous post I think.

                      What I want so say is:

                      If I create an override for a client the override is working.
                      If I delete the override completely, than the override still exists.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke
                          last edited by

                          @jimp:

                          You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

                          Thanks. Good to know that but I restarted the OpenVPN Server after I did any changes.

                          –-- EDIT ----

                          I tested it again:

                          Restarting OpenVPN Server
                          OpenVPN-Server Tunnel Network is: 10.0.1.0/24
                          Client Specific Override Tunnel Network: 10.0.1.180/30
                          Restarting OpenVPN Server
                          Connecting Client
                          This is working. Clients IP is after connecting to the server: 10.0.1.181/30
                          Disconnecting client
                          Deleting Client specific override
                          Restarting server
                          Connecting Client
                          This is working. Client IP is still 10.0.1.181/30

                          I attached some screenshots.

                          OpenVPN-Server.JPG
                          OpenVPN-Server.JPG_thumb
                          Override.JPG
                          Override.JPG_thumb
                          OVPN-IP.JPG
                          OVPN-IP.JPG_thumb

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Does the file for that cn still exist in /var/etc/openvpn-csc?

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • N
                              Nachtfalke
                              last edited by

                              Yes ist does exist:

                              ifconfig-push 10.0.1.181 10.0.1.182
                              
                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                I just pushed a fix, should be in new snaps soon

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • N
                                  Nachtfalke
                                  last edited by

                                  Hi,
                                  it is working now for me now as expected.
                                  I am using 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011

                                  Thanks jimp!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.