Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
OpenVPN - CSO Admin/User-Tunnel-Subnetting
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN - CSO Admin/User-Tunnel-Subnetting (Read 2763 times)
Oxygen61
Sr. Member
Posts: 350
Karma: 32
Der Weg zum Erfolg hat keine Abkürzung - (Tanaka)
OpenVPN - CSO Admin/User-Tunnel-Subnetting
«
on:
October 24, 2018, 06:07:40 pm »
Hey guys,
i need a little help to understand how exactly OPNsense handles it's Tunnel-subnets for an OpenVPN-Server, when also combined with Client-Specific-Override settings to create Admin and User Subnets for different use-cases.
I have a fully working Roadwarrior OpenVPN-Server with Multifactor-Auth for my admin users. They can login without problems. As soon as I instead want an User to login to the same OpenVPN-Server they get a subnet, which should work (in theory), but just isn't able to find the gateway it seems.
OpenVPN-Server Configuration:
- 3 User: A-RoadWarrior [User] ; B-Roadwarrior [User] ; C-Roadwarrior [Admin]
- 1 OpenVPN-Server ontop of OPNsense with the following IPv4 Tunnel Network: 172.31.250.248/29
(3 IP's are used for Net-address, Broadcast and OpenVPN-server-gateway --> 5 useable Admin IP's)
- Redirect Gateway: [X]
- Address Pool: [X]
- Topology: [X]
OpenVPN-CSO Configuration:
- A-RoadWarrior IPv4 Tunnel Network: 172.31.250.240/29
- B-RoadWarrior IPv4 Tunnel Network: 172.31.250.240/29
- C-RoadWarrior IPv4 Tunnel Network: 172.31.250.248/29
- Redirect Gateway [X] for all three users
--> User Clients and Admin Clients are able to connect to the VPN-Server on my OPNsense and get an IP/Subnet assigned shown in my CSO-Configuration. The Admins can freely browse and administrate and the user can't even access IP-addresses via web. (The firewall rules are correct though - Outbound-NAT is working as well)
When a User Client get's assigned the 172.31.250.248/29 subnet instead they can browse and work as expected
My thoughts:
- I guess the problem here is that the server doesn't know about the 172.31.250.240/29 network,
since it's only configured tunnel-network is the 172.31.250.248/29 for the admins.
- I could probably create a second OpenVPN-Server to split both user-groups,
BUT
i need the Server to only listen to TCP/443 to insure that no matter what, the user or admin clients are always able to get out of the remote network. Both VPN-Servers won't probably listen to the same TCP/Port so that won't work I assume.
- The CSO passes the IP, configured in the tunnel-network no matter what, which is odd. So in my case both User A and B will get the IP 172.31.250.240/29, which is the Net-address. They will also steal each others IP's. The fun part is that I am able to give my Admin Client C the IP 172.31.250.248/29, which again is the Net-address but this time it will work, even though the User should not know how to reach the gateway-address with such an IP.
Any idea how to utilize subnets correctly in this scenario? I am probably overlooking something obvious here.
Thanks for any help! Much appreciated!
«
Last Edit: October 24, 2018, 06:12:40 pm by Oxygen61
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
OpenVPN - CSO Admin/User-Tunnel-Subnetting