OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • Creating personalized firewall rules for VPN users
« previous next »
  • Print
Pages: [1]

Author Topic: Creating personalized firewall rules for VPN users  (Read 5489 times)

woo

  • Newbie
  • *
  • Posts: 28
  • Karma: 3
    • View Profile
Creating personalized firewall rules for VPN users
« on: August 03, 2016, 03:38:06 pm »
and Hi again..
Since I couldn't find useful hints on the wiki, I'll have to ask here..
Is there any method to..
a) assign static IPs to each OpenVPN client, or
b) use the VPN username in a firewall rule?
I've got quite a lot of road warriors, and need to limit their access to internal systems based on either username or department/group membership, same as it's done on the LAN already. Does OPNsense have a solution for that?

Regards
~woo
Logged

woo

  • Newbie
  • *
  • Posts: 28
  • Karma: 3
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #1 on: August 04, 2016, 11:44:50 am »
Quote from: woo on August 03, 2016, 03:38:06 pm
a) assign static IPs to each OpenVPN client, or
so, I got this part working via the console, using OpenVPN's "ifconfig-push" directive in the client-config-dir /var/etc/openvpn-csc/1, but I'm not sure how persistent this is across server config changes, or whether this directory will be rewritten every now and then. Testing continues...
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 1211
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #2 on: August 04, 2016, 01:03:15 pm »
Hi woo,

You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).


Cheers,
Franco
Logged

woo

  • Newbie
  • *
  • Posts: 28
  • Karma: 3
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #3 on: August 04, 2016, 01:54:12 pm »
Quote from: franco on August 04, 2016, 01:03:15 pm
You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).
How?
That field is global for the whole VPN server instance - I need a different setting (IP) for every single user..

I couldn't find anything like a "match user" directive for the OpenVPN config..

This might be something that could go onto the user profile page, though..
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 1211
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #4 on: August 04, 2016, 03:50:44 pm »
There is a field for the VPN server instance. There is also one for each CSC (Client-specific configuration / override) that you create. :)
Logged

woo

  • Newbie
  • *
  • Posts: 28
  • Karma: 3
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #5 on: August 05, 2016, 12:39:34 pm »
Thanks a lot for that info! Somehow I didn't realize that the "client specific overrides" are the CSCs described in the OpenVPN documentation.. I had this mentally connected to the OpenVPN Client section just above it.

The X509 Common Name is just the OpenVPN username?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 1211
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #6 on: August 07, 2016, 11:24:12 am »
Theoretically, yes. Technically, no. It's the common name in the user's client certificate that is matched against


Cheers,
Franco
Logged

woo

  • Newbie
  • *
  • Posts: 28
  • Karma: 3
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #7 on: August 08, 2016, 10:39:34 am »
... the client certificate that is included in the OpenVPN profile, exported by OPNsense...?
so, what do I put in there?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 1211
    • View Profile
Re: Creating personalized firewall rules for VPN users
« Reply #8 on: August 09, 2016, 10:01:36 am »
Typically the name of the user, a real name, a serial number, etc. It really depends on what you did put in. I've attached a screenshot where you can find the Common Names.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • Creating personalized firewall rules for VPN users
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2