Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is the best way to do user based VPN access.

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BlakeDarwinXE
      last edited by

      After looking around for 2 days now I have not found a clear cut answer to my problem. Any help is welcome.

      Here is my server:

      LAN: PC network no VLAN
      OPT1: 4x VLAN each with groups of server. These VLAN are blocked from talking to each other as they are setup for different friends to host servers.

      My Goal: I'm looking for the best way to grant Client-to-Site (Site-to-Site might come later if there is a need) VPN access to each of these VLAN's and the LAN. Some Users should only have access to only one VLAN while others should have access to 2 or more of the VLANs.

      Thank you for your help.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        If there are only a couple of categories of user, then you can set up an OpenVPN server for each, listening on a different port with different certificate/s and tunnel subnet. Then you can easily control firewall rules on OpenVPN for those subnets.

        Or you can have a single OpenVPN server and use Client Specific Overrides to allocate a particular tunnel IP to a particular client certificate. Then the rules can be based on those tunnel IPs.

        Any other permutations of this?

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • B
          BlakeDarwinXE
          last edited by

          @phil.davis:

          If there are only a couple of categories of user, then you can set up an OpenVPN server for each, listening on a different port with different certificate/s and tunnel subnet. Then you can easily control firewall rules on OpenVPN for those subnets.

          Or you can have a single OpenVPN server and use Client Specific Overrides to allocate a particular tunnel IP to a particular client certificate. Then the rules can be based on those tunnel IPs.

          Any other permutations of this?

          I was looking at the Client Specific Override, but didn't see a way to assign them to a client Certificate. The documentation I found wasn't 100% clear on that part.
          OpenVPN multi purpose single server

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            After making the internal CA, you make a server certificate for the server end, and a client certificate for each client (user). Then use the name of the client certificate in "common name" in the client specific overrides entry.

            Then give each client/user just their own certificate.

            Also, in the server settings, check "Strict User/CN Matching" - "When authenticating users, enforce a match between the common name of the client certificate and the username given at login". Then if a client person gets hold of someone else's client certificate they cannot use their own user-password with that other certificate to try and impersonate the other user and gain the other user's access/IP.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.