Limiting VPN user access to single internal IP



  • Is it possible to limit access for a VPN connected user to a single internal IP address?

    We have a contractor who connects to our internal network via OpenVPN for the single purpose of accessing one internal web server.  His account is a local pfsense account, so he cannot login to Windows domain resources, but all machines are physically accessible to him on the network.  I would feel a lot better if his traffic was explicitly limited to the one web server IP address that he is supposed to access.  Is this possible?

    We're a small company so we don't have a network admin and I get to play the role when necessary.  Please forgive me if I'm asking a question with an obvious answer.

    We're using pfsense 2.2.6-release.



  • If you first setup a CSC in OpenVPN to force the contractors VPN assigned IP to say: 10.50.50.50 (assuming your tunnel subnet was 10.50.50.0/24).

    You can then set a Firewall rule on the OpenVPN Tab that says "Allow any 10.50.50.50 to 192.168.50.100", if the Server to be accessed was at 192.168.50.100.
    You would follow that by a rule "Block all 10.50.50.50 to ! 192.168.50.100"

    Feel free to post some screenshots of your OpenVPN configs if you need an example closer to your actual setup.



  • This sounds like it will work, thanks!  I understand the firewall part, but I'm having trouble with the CSC/CSO to assign the static IP.  I don't get any errors, but my client is getting a regular DHCP IP address and not the static one I'm trying to assign, so I must not have something right.

    First I created a new local pfsense user with common name "testuser" and a new matching certificate.  Then I setup the CSO as shown in the attached screen shots (Common name": testuser, "Advanced": ipconfig-push 10.40.5.254 10.40.5.1;).  I want to assign the user 10.40.5.254, and the firewall server IP is 10.40.5.1.  Am I missing something obvious?






  • I'm not that familiar with the client specific override section, but I believe when assigning IP's… unless you're using topology subnet, you need to assign /30's for each client, so your current config wouldn't work, but that may not be your only issue.

    As an alternative, you could also create a separate "Vendor" config with a tunnel network and only allow it access to a particular "vendor" subnet.  Unfortunately, if you end up having multiple vendors and want to get more granular with the access, you'll still have to figure out the syntax for client specific overrides.

    Just a thought, but my guess you also need to fill out the top portion of the CSO section.


  • Netgate

    For starters it's ifconfig-push not ipconfig-push

    EXAMPLE: Suppose you want to give

    Thelonious a fixed VPN IP address of 10.9.0.1.

    First uncomment out these lines:

    ;client-config-dir ccd
    ;route 10.9.0.0 255.255.255.252

    Then add this line to ccd/Thelonious:

    #  ifconfig-push 10.9.0.1 10.9.0.2



  • Thank you everyone for help, we're making progress!

    @Derelict - My typo was the problem preventing ifconfig-push from working!  I've been on windows too much (ipconfig) vs linux (ifconfig).  I'm now pushing a static IP to the client, YAY!  I'm not sure where I look for the lines you asked me to un-comment, but it seems to be working without that change.

    The next challenge is I'm trying to get this specific client onto a new subnet to prevent an IP address collision should DHCP give some other client this IP that I am assigning statically.  The web server the client needs to reach is on the 10.40.3.0/24 subnet.  My VPN server "IPv4 Tunnel Network" is 10.40.5.0/24 and if I assign this client a static IP within that subnet then everything works.

    But if I assign this client a static IP from 10.40.6.0/24 subnet, I get no traffic between client and server.  I've tried various Client Specific Override settings for "Tunnel Network" and "IPv4 Local Network/s", but can't seem to get the right settings.  I've attached screen shots of the settings I'm referring to.  Does anyone recognize what I'm missing?








  • First thank you everyone for the help!  I now have the basic functionality that I need.  My contractor now gets a static IP and can only access the one web server (and I added DNS), thank you!!

    Icing on the cake would be if I can figure out how to get him onto his own subnet, or in some other way prevent his static IP from being assigned to a different VPN client by DHCP.  I need to solve the routing issues in my previous post to get him on his own subnet.  Any suggestions are more than welcome.



  • Icing on the cake would be if I can figure out how to get him onto his own subnet, or in some other way prevent his static IP from being assigned to a different VPN client by DHCP

    It is possible to do this in OpenVPN (google "OpenVPN ifconfig-pool-persist") but I don't think the standard pfSense OpenVPN interface will let you complete that setup without some manual file creation on the pfSense box.

    Another way to skin the cat would be create a second OpenVPN server on your pfSense box.
    Use the same CA you used for the first server and create another server certificate for the 2nd server.
    Chose another outside port and a completely different tunnel subnet.
    Alternatively you could split your your original tunnel subnet, eg. use 10.40.5.0/25 (up to .127) for Server1 and 10.40.5.128/25 (.128-.254) for Server2.

    You end up with two different servers, but it lets you manage all the changes in the pfSense GUI.

    You didn't show in your screenshots what type of OpenVPN server you originally created, SSL/Shared Key/Remote Access?


  • Netgate

    Unless you have tons of simultaneous connections just assign your static ifconfigs from the high end of the tunnel network.

    There might be a more elegant way to do this.  In fact with an ifconfig I'm not sure it absolutely has to be assigned out of the tunnel network. A cursory glance at the OpenVPN example made it look like this was the case.



  • Thanks guys for the ideas.  I've only got a handful of clients that would be connected at any one time, and I did assign the static IP from very high in the range, so maybe for my particular case this will be good enough.  I'll let it go as-is for a while and see what happens.

    @Derelict - I did try assigning an IP from a different subnet than the tunnel subnet via ifconfig, and the IP was assigned just fine, and the routing tables on the client looked good, but I couldn't get any traffic to flow between client and server for some reason.  Is this what you meant by out of the tunnel network?

    @divsys - The second server idea sounds like a great idea and could be the way to go if I end up having to put the contractor on his own subnet.  The added benefit is the next guy after me will have an easier time understanding what's going on if he can work from the GUI.  We are setup as a Remote Access VPN, every user has their own certificate as well as a login/password.  So I could just revoke the contractors certificate and make him a new one on the new server to force him to use the new server.

    Thanks again to everyone for the excellent help, I really appreciate it!


  • Netgate

    Yes. You might also need a route to get the traffic into OpenVPN then an iroute in the CSO to route from OpenVPN to the correct tunnel.



  • @Derelict:

    Yes. You might also need a route to get the traffic into OpenVPN then an iroute in the CSO to route from OpenVPN to the correct tunnel.

    Thanks, I will definitely keep this in mind and maybe give this a shot before trying 2 VPN servers when the time comes.  After reading on iroute, that might be the missing link.