OpenVPN: custom rules for each user

ManuelRighi · May 3, 2013, 10:33 AM

Hello,
I have pfsense 2.0.1
I work with OpenVPN.
It's possible to have a specific configuration for each OpenVPN Users, for restrict user to access to specif ip ?
Actually I have same route ad access for my all users.

jimp · May 3, 2013, 6:52 PM

You can setup a static IP for each user using Client-Specific Overrides for their name, and then filter based on that.

ManuelRighi · May 6, 2013, 8:44 AM

@jimp:

You can setup a static IP for each user using Client-Specific Overrides for their name, and then filter based on that.

Tnx jimp.
I try Client-Specific Overrides and solution works ;)

I have another problem with specific routes for users.
If I configure routes on "VPN -> OpenVPN -> Server" -> Advanced box, all works
The route syntax is this:
push "route my_network my_subnet";

If I configure routes on "VPN -> OpenVPN -> Client-Specific Overrides -> my user -> Advanced box, not work.
I try these syntax:
push "route my_network my_subnet";
iroute my_network my_subnet;
route my_network my_subnet;

Can you help me ?

jimp · May 6, 2013, 11:38 AM

If you want to deliver a route to just that user, then use push just like on the main advanced options.

iroute would route a specific subnet to the client (meaning the subnet is at the client's end), and route won't really do anything special in there. Push is what you want.

Reiner030 · May 6, 2013, 1:25 PM

@jimp:

iroute would route a specific subnet to the client (meaning the subnet is at the client's end), and route won't really do anything special in there. Push is what you want.

I guess that you need "vpn_gateway" Option only if additional parameters were needed?
push route 192.168.1.0 255.255.255.0 vpn_gateway;

As tip for the forum because I take a little longer research for it last year:
We need it to push OpenVPN network independently if user is external or "accidently" internal connected with metric.
push route 192.168.10.0 255.255.255.0 vpn_gateway 10;
push route 192.168.11.0 255.255.255.0 vpn_gateway 10;

(found this tip in german here: http://web.archive.org/web/20110901093327/http://blog.it4sport.de/2009/02/06/openvpn-metric-ich-bin-verwirrt/ )

jimp · May 6, 2013, 1:41 PM

I've never seen any situation that called for that syntax. Only this:

push "route x.x.x.0 255.255.255.0";