Multiple User Best Practice
-
How would you guys recommend I set up multiple users with different access rights?
I was planning on having 3 groups of users.
I was thinking of running different server instances on 3 different ports. That way I would allow the Tunnel Network assign IPs and grab the 3 different subnets and create allow/block rules where needed.
The other I can think of is not inserting a IPv4 Tunnel Network address, and then create Client Specific Overides for each user.
The first option seems easier, but I would like to know what you guys think.
Thanks in advance.
-
I was faced exactly the same challenge months ago when we plan to replace our old Astaro ASG with pfSense. The Astaro could use users and groups in firewall rules, pfSense can't.
I then implemented your first solution cause it was the only way I came up.
I set up 3 different CAs for the user and server certificates, 3 OVPN servers with different tunnel networks listening on different ports. To each server I assigned another CA, server certificate and CRL and the users got their certificates from the particular CA.
After this I assigned a meaningful alias to each tunnel subnet. Now the users privileges can be clearly arranged by OVPN firewall rules.
That works very well and I am highly satisfied with this solution. -
Yes that seems to be the easiest option, I was just thinking about the extra overhead with 3 servers, and any extra security concerns (if any) with unnecessarily opening extra ports for the additional servers.
What I don't get is why you set up additional CAs.
-
What I don't get is why you set up additional CAs.
When going this way it is necessary to use SSL/TLS authentication for isolating user groups.
I assigned CA1 and CRL1 to OVPN server 1 and user 1 got his certificate from CA1. CA2 and its CRL2 is assigned to OVPN2 and user 2 got his cert from CA2 and so on. This ensures that user 1 can establish connection to OVPN1 only and not to any other VPN server. User 2 can only connect to OVPN2.If you would use a common CA all users will be able to connect to any server if they edit the VPN config accordingly.
The only other option I see is to use different user databases which can be assigned to the different OVPN servers. Or do I miss something?
-
If you would use a common CA all users will be able to connect to any server if they edit the VPN config accordingly.
I see your point, but the people using the VPN wouldn't have a clue on how to change the config, nor know what to change the config to.
-
the people using the VPN wouldn't have a clue on how to change the config
In that case it will be OK to use just a single CA. But our Clients are software developers. I do not need to tell more. ;)