Best way to separate client traffic?



  • I will have two groups of users: privileged and restricted.  There will be a handful of privileged users and a lot of restricted users.  I would like to have them both connected to the same server and port, if possible.

    The simplest method would be to have them connect on different ports, and have the firewall rules restrict the two separate OpenVPN networks as needed.  I may end up doing this, but I would like to avoid it if I can.  I want OpenVPN traffic arriving on port 443 so it can bypass restrictive firewalls.  If someone knows another port I can use for OpenVPN traffic, I'm open to suggestions.

    The other method I've found is to use client-specific overrides.  This would create a lot of work on my part, as I would have to assign a static address to every user.

    A simple method, if possible, would be to assign a static IP to the privileged users outside of the OpenVPN dynamic pool.  The dynamic range would be used for restricted users.  I tried this, but I was unable to access the network.  The internal network is 192.168.20.0/24.  The OpenVPN network is 192.168.21.0/24.  I tried giving myself a static IP of 192.168.22.4/30 in the client-specific overrides.  The address assignment was successful, but communication with the firewall's internal IP was not possible.

    I am using 2.0 on my test server and 2.1-RC0 on my production server.



  • Hi Syntax,

    You should be able to handle the topics just fine with some subnetting/firewalling, IMHO, on the OpenVPN Interface under firewall rules.

    By default of course, everything is restricted.  You can just define which subnets can do what.  I suggest a cheat sheet like this:

    http://www.aelius.com/njh/subnet_sheet.html

    Look at the section titled: "/30 – 64 Subnets -- 2 Hosts/Subnet", and set your static within one of the "IP Range" sections.  I tihnk your choice of 192.168.22.4/30 might not work, because .4 is the "network", while .5 and .6 are the only ones usable, (and 7 is the broadcast).

    Also, what is the firewall's internal IP? 192.168.20.1?

    To be able to talk to that the firewall rule on the OpenVPN interface will need to be set to allow traffic to it.

    @Syntax42:

    I will have two groups of users: privileged and restricted.  There will be a handful of privileged users and a lot of restricted users.  I would like to have them both connected to the same server and port, if possible.

    The simplest method would be to have them connect on different ports, and have the firewall rules restrict the two separate OpenVPN networks as needed.  I may end up doing this, but I would like to avoid it if I can.  I want OpenVPN traffic arriving on port 443 so it can bypass restrictive firewalls.  If someone knows another port I can use for OpenVPN traffic, I'm open to suggestions.

    The other method I've found is to use client-specific overrides.  This would create a lot of work on my part, as I would have to assign a static address to every user.

    A simple method, if possible, would be to assign a static IP to the privileged users outside of the OpenVPN dynamic pool.  The dynamic range would be used for restricted users.  I tried this, but I was unable to access the network.  The internal network is 192.168.20.0/24.  The OpenVPN network is 192.168.21.0/24.  I tried giving myself a static IP of 192.168.22.4/30 in the client-specific overrides.  The address assignment was successful, but communication with the firewall's internal IP was not possible.

    I am using 2.0 on my test server and 2.1-RC0 on my production server.



  • @wm408:

    Hi Syntax,

    You should be able to handle the topics just fine with some subnetting/firewalling, IMHO, on the OpenVPN Interface under firewall rules.

    By default of course, everything is restricted.  You can just define which subnets can do what.  I suggest a cheat sheet like this:

    http://www.aelius.com/njh/subnet_sheet.html

    Look at the section titled: "/30 – 64 Subnets -- 2 Hosts/Subnet", and set your static within one of the "IP Range" sections.  I tihnk your choice of 192.168.22.4/30 might not work, because .4 is the "network", while .5 and .6 are the only ones usable, (and 7 is the broadcast).

    Also, what is the firewall's internal IP? 192.168.20.1?

    To be able to talk to that the firewall rule on the OpenVPN interface will need to be set to allow traffic to it.

    This doesn't answer my questions.  You seem to be suggesting a flaw in my IP address assignments due to the subnet.  My issue has no relation to the subnet.  If I assign a 192.168.22.4/30 to a client, I know .4 is the network and .6 ends up being the client's address.  I don't care about that, unless the address I put before the subnet somehow affects the ability for the client to communicate with the internal network.  I doubt it, but I will test it today with a 192.168.22.6/30 assignment.

    What I'm trying to do is create two separate "zones" or groups of clients, so I can apply firewall rules to them.  After more thought, I have decided it may be easiest to create two servers on the firewall:  one on TCP 443 and the other on TCP 993 (IMAP).  Each server would have its own address range.  This should allow traffic to bypass almost any public internet access firewall while giving me the ability to control traffic based on user groups.



  • If its firewall-rule based controls, all you would have to do is assign static maps for each computer.  Then assign each computer to one of two aliases.  One alias could be privileged and the other limited.  Then you could create firewall rules for each of the two aliases.

    Not sure if that gets you everything you want, but its easy to do on a single subnet.



  • As I mentioned in my first post, creating static maps for every client would be very labor-intensive.  I would rather just create two servers with different address pools.


  • Banned

    Move to the separate ports/VLAN plan. Plan A is a waste of time.



  • Sounds like you have it all worked out then.  :D


Log in to reply