OpenVPN: custom rules for each user



  • Hello,
    I have pfsense 2.0.1
    I work with OpenVPN.
    It's possible to have a specific configuration for each OpenVPN Users, for restrict user to access to specif ip ?
    Actually I have same route ad access for my all users.


  • Rebel Alliance Developer Netgate

    You can setup a static IP for each user using Client-Specific Overrides for their name, and then filter based on that.



  • @jimp:

    You can setup a static IP for each user using Client-Specific Overrides for their name, and then filter based on that.

    Tnx jimp.
    I try Client-Specific Overrides and solution works ;)

    I have another problem with specific routes for users.
    If I configure routes on "VPN -> OpenVPN -> Server" -> Advanced box, all works
    The route syntax is this:
    push "route my_network my_subnet";

    If I configure routes on "VPN -> OpenVPN -> Client-Specific Overrides -> my user -> Advanced box, not work.
    I try these syntax:
    push "route my_network my_subnet";
    iroute my_network my_subnet;
    route my_network my_subnet;

    Can you help me ?


  • Rebel Alliance Developer Netgate

    If you want to deliver a route to just that user, then use push just like on the main advanced options.

    iroute would route a specific subnet to the client (meaning the subnet is at the client's end), and route won't really do anything special in there. Push is what you want.



  • @jimp:

    iroute would route a specific subnet to the client (meaning the subnet is at the client's end), and route won't really do anything special in there. Push is what you want.

    I guess that you need "vpn_gateway" Option only if additional parameters were needed?
    push route 192.168.1.0 255.255.255.0 vpn_gateway;

    As tip for the forum because I take a little longer research for it last year:
    We need it to push OpenVPN network independently if user is external or "accidently" internal connected with metric.
    push route 192.168.10.0 255.255.255.0 vpn_gateway 10;
    push route 192.168.11.0 255.255.255.0 vpn_gateway 10;

    (found this tip in german here: http://web.archive.org/web/20110901093327/http://blog.it4sport.de/2009/02/06/openvpn-metric-ich-bin-verwirrt/ )


  • Rebel Alliance Developer Netgate

    I've never seen any situation that called for that syntax. Only this:

    push "route x.x.x.0 255.255.255.0";


Log in to reply