Remote access VPN with user group based filtering



  • I'm migrating from a Cisco PIX IPsec solution to pfSense.  I think OpenVPN is a better solution for my users than IPsec because I can't find an obvious way to provide two-factor auth on Windows 10 64-bit with IPsec.

    I've got OpenVPN working with user certificates plus user authentication, but I'm struggling with is how to give different access rights to different user groups: I've got some users that need email (SMTP + IMAP) and others that need remote desktop (RDP).  On cisco, you do this by mapping the OU in the certificate to a VPN group, but that concept doesn't seem to exist with OpenVPN.

    I think I can create two OpenVPN servers on the pfSense system listening on different UDP ports, trusting different internal CAs, and using different tunnel networks.  Then issue user certificates signed by the appropriate CA and limit access based on the source address of the appropriate tunnel network in the OpenVPN firewall rules.

    Is this a sensible solution, or is there any better way of doing it? Is there something obvious I'm missing?

    I'm running pfSense 2.2.6 amd64 on an apu1d4 based system.



  • pfSense OpenVPN doesn't support user groups.

    @royhills:

    I think I can create two OpenVPN servers on the pfSense system listening on different UDP ports, trusting different internal CAs, and using different tunnel networks.  Then issue user certificates signed by the appropriate CA and limit access based on the source address of the appropriate tunnel network in the OpenVPN firewall rules.

    That's the workaround I would recommend. There is no limit on OpenVPN servers can be run on pfSense.
    I'd a similar challenge when I switched to pfSense, I needed 3 VPN groups with different privileges. Now I'm running 3 OVPN servers to reach the target.

    Another way is the use of "Client Specific Overrides" in OpenVPN. So you can assign a particular IP address to each user cert and then use this IPs in firewall rules (aliases).



  • Thanks for the pointer to client-specific overrides.  I think that will work in my situation, as I have a small number of remote-access clients, and I could give each one a separate /30 network by defining the local network for the user's certificate in the overrides.  Then I could use the remote client's IP in the OpenVPN firewall rules, with aliases to group and name them.



  • It's an option. If you have small groups you can string them together, so that your groups can be expressed with e.g. /28 for 4 users or /27 for 8.
    So it is easy to create firewall rules with this subnets.


Log in to reply