Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote access VPN with user group based filtering

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      royhills
      last edited by

      I'm migrating from a Cisco PIX IPsec solution to pfSense.  I think OpenVPN is a better solution for my users than IPsec because I can't find an obvious way to provide two-factor auth on Windows 10 64-bit with IPsec.

      I've got OpenVPN working with user certificates plus user authentication, but I'm struggling with is how to give different access rights to different user groups: I've got some users that need email (SMTP + IMAP) and others that need remote desktop (RDP).  On cisco, you do this by mapping the OU in the certificate to a VPN group, but that concept doesn't seem to exist with OpenVPN.

      I think I can create two OpenVPN servers on the pfSense system listening on different UDP ports, trusting different internal CAs, and using different tunnel networks.  Then issue user certificates signed by the appropriate CA and limit access based on the source address of the appropriate tunnel network in the OpenVPN firewall rules.

      Is this a sensible solution, or is there any better way of doing it? Is there something obvious I'm missing?

      I'm running pfSense 2.2.6 amd64 on an apu1d4 based system.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        pfSense OpenVPN doesn't support user groups.

        @royhills:

        I think I can create two OpenVPN servers on the pfSense system listening on different UDP ports, trusting different internal CAs, and using different tunnel networks.  Then issue user certificates signed by the appropriate CA and limit access based on the source address of the appropriate tunnel network in the OpenVPN firewall rules.

        That's the workaround I would recommend. There is no limit on OpenVPN servers can be run on pfSense.
        I'd a similar challenge when I switched to pfSense, I needed 3 VPN groups with different privileges. Now I'm running 3 OVPN servers to reach the target.

        Another way is the use of "Client Specific Overrides" in OpenVPN. So you can assign a particular IP address to each user cert and then use this IPs in firewall rules (aliases).

        1 Reply Last reply Reply Quote 0
        • R
          royhills
          last edited by

          Thanks for the pointer to client-specific overrides.  I think that will work in my situation, as I have a small number of remote-access clients, and I could give each one a separate /30 network by defining the local network for the user's certificate in the overrides.  Then I could use the remote client's IP in the OpenVPN firewall rules, with aliases to group and name them.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            It's an option. If you have small groups you can string them together, so that your groups can be expressed with e.g. /28 for 4 users or /27 for 8.
            So it is easy to create firewall rules with this subnets.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.