Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple User Best Practice

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tabs
      last edited by

      How would you guys recommend I set up multiple users with different access rights?

      I was planning on having 3 groups of users.

      I was thinking of running different server instances on 3 different ports. That way I would allow the Tunnel Network assign IPs and grab the 3 different subnets and create allow/block rules where needed.

      The other I can think of is not inserting a IPv4 Tunnel Network address, and then create Client Specific Overides for each user.

      The first option seems easier, but I would like to know what you guys think.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        I was faced exactly the same challenge months ago when we plan to replace our old Astaro ASG with pfSense. The Astaro could use users and groups in firewall rules, pfSense can't.

        I then implemented your first solution cause it was the only way I came up.

        I set up 3 different CAs for the user and server certificates, 3 OVPN servers with different tunnel networks listening on different ports. To each server I assigned another CA, server certificate and CRL and the users got their certificates from the particular CA.

        After this I assigned a meaningful alias to each tunnel subnet. Now the users privileges can be clearly arranged by OVPN firewall rules.
        That works very well and I am highly satisfied with this solution.

        1 Reply Last reply Reply Quote 0
        • T
          tabs
          last edited by

          Yes that seems to be the easiest option, I was just thinking about the extra overhead with 3 servers, and any extra security concerns (if any) with unnecessarily opening extra ports for the additional servers.

          What I don't get is why you set up additional CAs.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            What I don't get is why you set up additional CAs.

            When going this way it is necessary to use SSL/TLS authentication for isolating user groups.
            I assigned CA1 and CRL1 to OVPN server 1 and user 1 got his certificate from CA1. CA2 and its CRL2 is assigned to OVPN2 and user 2 got his cert from CA2 and so on. This ensures that user 1 can establish connection to OVPN1 only and not to any other VPN server. User 2 can only connect to OVPN2.

            If you would use a common CA all users will be able to connect to any server if they edit the VPN config accordingly.

            The only other option I see is to use different user databases which can be assigned to the different OVPN servers. Or do I miss something?

            1 Reply Last reply Reply Quote 0
            • T
              tabs
              last edited by

              @viragomann:

              If you would use a common CA all users will be able to connect to any server if they edit the VPN config accordingly.

              I see your point, but the people using the VPN wouldn't have a clue on how to change the config, nor know what to change the config to.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                the people using the VPN wouldn't have a clue on how to change the config

                In that case it will be OK to use just a single CA. But our Clients are software developers. I do not need to tell more.  ;)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.