• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Remote access VPN with user group based filtering

Scheduled Pinned Locked Moved OpenVPN
4 Posts 2 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    royhills
    last edited by Jan 14, 2016, 5:52 PM

    I'm migrating from a Cisco PIX IPsec solution to pfSense.  I think OpenVPN is a better solution for my users than IPsec because I can't find an obvious way to provide two-factor auth on Windows 10 64-bit with IPsec.

    I've got OpenVPN working with user certificates plus user authentication, but I'm struggling with is how to give different access rights to different user groups: I've got some users that need email (SMTP + IMAP) and others that need remote desktop (RDP).  On cisco, you do this by mapping the OU in the certificate to a VPN group, but that concept doesn't seem to exist with OpenVPN.

    I think I can create two OpenVPN servers on the pfSense system listening on different UDP ports, trusting different internal CAs, and using different tunnel networks.  Then issue user certificates signed by the appropriate CA and limit access based on the source address of the appropriate tunnel network in the OpenVPN firewall rules.

    Is this a sensible solution, or is there any better way of doing it? Is there something obvious I'm missing?

    I'm running pfSense 2.2.6 amd64 on an apu1d4 based system.

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Jan 14, 2016, 9:08 PM

      pfSense OpenVPN doesn't support user groups.

      @royhills:

      I think I can create two OpenVPN servers on the pfSense system listening on different UDP ports, trusting different internal CAs, and using different tunnel networks.  Then issue user certificates signed by the appropriate CA and limit access based on the source address of the appropriate tunnel network in the OpenVPN firewall rules.

      That's the workaround I would recommend. There is no limit on OpenVPN servers can be run on pfSense.
      I'd a similar challenge when I switched to pfSense, I needed 3 VPN groups with different privileges. Now I'm running 3 OVPN servers to reach the target.

      Another way is the use of "Client Specific Overrides" in OpenVPN. So you can assign a particular IP address to each user cert and then use this IPs in firewall rules (aliases).

      1 Reply Last reply Reply Quote 0
      • R
        royhills
        last edited by Jan 15, 2016, 10:00 AM

        Thanks for the pointer to client-specific overrides.  I think that will work in my situation, as I have a small number of remote-access clients, and I could give each one a separate /30 network by defining the local network for the user's certificate in the overrides.  Then I could use the remote client's IP in the OpenVPN firewall rules, with aliases to group and name them.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by Jan 15, 2016, 11:55 AM

          It's an option. If you have small groups you can string them together, so that your groups can be expressed with e.g. /28 for 4 users or /27 for 8.
          So it is easy to create firewall rules with this subnets.

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received