Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - JesperAP

Pages1
#1
Virtual private networks / Re: Recommendation VPN
September 19, 2023, 04:56:50 PM
Quote from: bazbaz on September 19, 2023, 03:59:19 PM
So basically your are looking for a way to apply firewall filters based on AD Group membership? Something as FSAE/FSSO in Fortinet workd?


Yes, this is exactly what I mean. We currently have fortinet but it is way too expensive
#2
Virtual private networks / Recommendation VPN
September 19, 2023, 02:58:27 PM
Hello,

I have a question on how to set up a VPN server.

I have a AD server with security groups. I want to have a VPN server on our cloud to reach our production servers. I was planning on using OPNsense.

How can I design OPNsense so that our developers can only reach the development servers subnets (eg. 10.1.50.0/24, 10.1.55.0/24), our release managers all of the customer subnets and that our operations group can reach all of the subnets including our AD servers etc.

The way I have it working now is a different OpenVPN server and access server per security group but I don't want to make new OpenVPN and access servers if I need to create a new AD group...

Is it even possible to do with OPNsense in a better more scalable way?
#3
Virtual private networks / Re: OpenVPN firewall rules
September 14, 2023, 12:28:56 PM
I found the answer myself.

In the OpenVPN server you can specify IP-ranges that the clients are allowed to visit. It is called "IPv4 Local Network".

If you fill in all the allowed addresses then the clients are only allowed to those IP's
#4
Virtual private networks / OpenVPN firewall rules
September 14, 2023, 12:12:59 PM
Hello,

I am trying to use OPNsense as a VPN server. My goal is to have multiple VPN servers, one for every user group (LDAP group).

For every group I want to have firewall rules so that they can access specific networks. So for example developers can only access the dev server subnets and release managers access dev, test, acceptance and production servers.

The OpenVPN servers work, and every group gets its own servers.

But when I try to make firewall rules so specific groups can access specific subnets I get stuck.

When I check the logs, I bypass the firewalls because the connected user has an ip: 172.16.100.6 but in the logs the ping comes from the source 172.16.23.10 (<- OPNsense ip)

How can I fix that the client IP is the source.

I only have one NIC (WAN) because I thought I don't need a LAN for my usecase.

I hope I explained it right, I am dutch so if I need to explain it for you in dutch please send me a DM.
Pages1