OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: woo on August 03, 2016, 03:38:06 pm

Title: Creating personalized firewall rules for VPN users
Post by: woo on August 03, 2016, 03:38:06 pm

and Hi again..
Since I couldn't find useful hints on the wiki, I'll have to ask here..
Is there any method to..
a) assign static IPs to each OpenVPN client, or
b) use the VPN username in a firewall rule?
I've got quite a lot of road warriors, and need to limit their access to internal systems based on either username or department/group membership, same as it's done on the LAN already. Does OPNsense have a solution for that?

Regards
~woo

Title: Re: Creating personalized firewall rules for VPN users
Post by: woo on August 04, 2016, 11:44:50 am

Quote from: woo on August 03, 2016, 03:38:06 pm

a) assign static IPs to each OpenVPN client, or

so, I got this part working via the console, using OpenVPN's "ifconfig-push" directive in the client-config-dir /var/etc/openvpn-csc/1, but I'm not sure how persistent this is across server config changes, or whether this directory will be rewritten every now and then. Testing continues...

Title: Re: Creating personalized firewall rules for VPN users
Post by: franco on August 04, 2016, 01:03:15 pm

Hi woo,

You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).


Cheers,
Franco

Title: Re: Creating personalized firewall rules for VPN users
Post by: woo on August 04, 2016, 01:54:12 pm

Quote from: franco on August 04, 2016, 01:03:15 pm

You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).

How?
That field is global for the whole VPN server instance - I need a different setting (IP) for every single user..

I couldn't find anything like a "match user" directive for the OpenVPN config..

This might be something that could go onto the user profile page, though..

Title: Re: Creating personalized firewall rules for VPN users
Post by: franco on August 04, 2016, 03:50:44 pm

There is a field for the VPN server instance. There is also one for each CSC (Client-specific configuration / override) that you create. :)

Title: Re: Creating personalized firewall rules for VPN users
Post by: woo on August 05, 2016, 12:39:34 pm

Thanks a lot for that info! Somehow I didn't realize that the "client specific overrides" are the CSCs described in the OpenVPN documentation.. I had this mentally connected to the OpenVPN Client section just above it.

The X509 Common Name is just the OpenVPN username?

Title: Re: Creating personalized firewall rules for VPN users
Post by: franco on August 07, 2016, 11:24:12 am

Theoretically, yes. Technically, no. It's the common name in the user's client certificate that is matched against


Cheers,
Franco

Title: Re: Creating personalized firewall rules for VPN users
Post by: woo on August 08, 2016, 10:39:34 am

... the client certificate that is included in the OpenVPN profile, exported by OPNsense...?
so, what do I put in there?

Title: Re: Creating personalized firewall rules for VPN users
Post by: franco on August 09, 2016, 10:01:36 am

Typically the name of the user, a real name, a serial number, etc. It really depends on what you did put in. I've attached a screenshot where you can find the Common Names.