Limiting scope of openVPN access



  • I have successfully set up the openVPN module to allow vpn users access to the local lan, and it works perfectly with the windows installer.  Is there a way for me to limit these users to just one machine?  For example, I want to give an employee vpn access so he can rdp into his desktop when he is on the road BUT I do not want him to be able to access anything else on the lan?  Is this possible to do?


  • Rebel Alliance Developer Netgate

    You can limit that with firewall rules on the OpenVPN tab in 2.0

    To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)



  • @jimp:

    You can limit that with firewall rules on the OpenVPN tab in 2.0

    To be sure you're just filtering this one person, you can assign them a static IP by using a client-specific override on that tab of the OpenVPN configuration. (Bear in mind how OpenVPN allocates IPs in /30 chunks)

    How could I assign a Client a static IP.

    OpenVPN Server tunnel network ist 10.0.0.0/24
    Should I have to enter this network in client specific override, too or is THIS the point where I have to enter 10.0.0.4/30 which means:
    netmask: 10.0.0.4
    server: 10.0.0.5
    client: 10.0.0.6
    BC: 10.0.0.7

    PS: If I push any routes on OpenVPN Server but not on Client specific overrides, will the client get this routes or not ? What is with other option like domain, ntp. Do I have to configure this twice ?

    Thanks for your feedback


  • Rebel Alliance Developer Netgate

    You are safest just to refer to the whole /30 in firewall rules. When you set the IP for the client, you need to use, for example: 10.0.0.4/30 like you had.

    The addressing in OpenVPN is covered a bit here:
    http://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses%3F

    The client will get all settings from the server as usual, just on their static IP. If you want to stop the user from getting the pushed routes and settings, you can check "Prevent this client from receiving any server-defined client settings." on the override.



  • Thanks jimp. Do you see any limits on how many people I can set up this way?  Down the road, we may have as many as 500 users who are on the road, and I want to give each user a vpn that only accesses their own virtual desktop.


  • Rebel Alliance Developer Netgate

    Just use a large enough subnet to accommodate your users * 4. So in your case, ~512*4=2048 IPs, So a /21 or a /20's worth of IPs in any of the private blocks would work.



  • Hi,

    I noticed some problems with "Client Specific overrides".

    I am using an OpenVPN Server with Tunnel Network 10.0.1.0/24

    I tried with Client specific override tunnel network of 10.0.2.120/30

    The Client could connect to the server but got no access. Thats ok, because of the wrong subnet.
    Ok, I then deleted the complete client specific override for this clien/CN, restarted the OpenVPN Server but the client still got the IP of the 10.0.2.120/30 subnet.

    I created again an client specific override for this client/CN and didn't choose any tunnel network (so it used the servers default) and then it conneted fine and got an IP of the 10.0.1.0/24 subnet.

    Did I something wrong ?!


  • Rebel Alliance Developer Netgate

    Yes, the static IPs for overrides must be within the tunnel network.



  • @jimp:

    Yes, the static IPs for overrides must be within the tunnel network.

    Yes, I wrote that in my previous post I think.

    What I want so say is:

    If I create an override for a client the override is working.
    If I delete the override completely, than the override still exists.


  • Rebel Alliance Developer Netgate

    You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.



  • @jimp:

    You have to restart OpenVPN after editing or deleting an override, IIRC. It doesn't restart them automatically.

    Thanks. Good to know that but I restarted the OpenVPN Server after I did any changes.

    –-- EDIT ----

    I tested it again:

    Restarting OpenVPN Server
    OpenVPN-Server Tunnel Network is: 10.0.1.0/24
    Client Specific Override Tunnel Network: 10.0.1.180/30
    Restarting OpenVPN Server
    Connecting Client
    This is working. Clients IP is after connecting to the server: 10.0.1.181/30
    Disconnecting client
    Deleting Client specific override
    Restarting server
    Connecting Client
    This is working. Client IP is still 10.0.1.181/30

    I attached some screenshots.







  • Rebel Alliance Developer Netgate

    Does the file for that cn still exist in /var/etc/openvpn-csc?



  • Yes ist does exist:

    ifconfig-push 10.0.1.181 10.0.1.182
    

  • Rebel Alliance Developer Netgate

    I just pushed a fix, should be in new snaps soon



  • Hi,
    it is working now for me now as expected.
    I am using 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011

    Thanks jimp!


Locked