Hello, is creating the openVPN interface not required? I realized it was working without me taking that additional step. I went ahead and created the interface enabled it and everything seems to be fine even without any rules. Wouldn't this hit the default block rule?
The guest access...
I need to provide VPN access to some remote users and was wondering the best way to do that. I had originally thought maybe I should setup a separate openVPN instance for my guests, and then just add some custom rules for that specific interface. However, i see that there is also CSO.
I'm doing this temporarily prior to setting up netbird. What is recommended for my situation? I will be authenticating this user against LDAPS which has already been setup and working for my admin group. This user however would authenticate against a different group than the admin group which would not provide access to the firewall but the group would have permission to connect to this specific CSO or OpenVPN instance. What's the best way to handle that?
The guest would be restricted to a single VM / git server / active directory authenticaton / local splt-dns. 😁
Quote from: grapes2331 on Today at 05:07:48 PMis creating the openVPN interface not required? I realized it was working without me taking that additional step.
When you set up an OpenVPN server, OPNsense automatically creates an interface group called OpenVPN and adds a rule to it to permit any access.
If you want to limit access to certain VPN clients, you have to edit this rule or remove it and create your owns.
No, you don't need a dedicated interface just for access servers. That's rather needed for routing purposes.
Quote from: grapes2331 on Today at 05:07:48 PMI need to provide VPN access to some remote users and was wondering the best way to do that. I had originally thought maybe I should setup a separate openVPN instance for my guests, and then just add some custom rules for that specific interface. However, i see that there is also CSO.
Running different VPN servers for different security groups seems more secure to me than just assigning certain IPs via CSO.
This way each server has assigned a different CA. So clients with a certificate from the CA A used by server A can never connect to server B, which has CA B assigned.