Recommendation VPN

[JesperAP]

Hello,

I have a question on how to set up a VPN server.

I have a AD server with security groups. I want to have a VPN server on our cloud to reach our production servers. I was planning on using OPNsense.

How can I design OPNsense so that our developers can only reach the development servers subnets (eg. 10.1.50.0/24, 10.1.55.0/24), our release managers all of the customer subnets and that our operations group can reach all of the subnets including our AD servers etc.

The way I have it working now is a different OpenVPN server and access server per security group but I don't want to make new OpenVPN and access servers if I need to create a new AD group...

Is it even possible to do with OPNsense in a better more scalable way?

[bazbaz]

So basically your are looking for a way to apply firewall filters based on AD Group membership? Something as FSAE/FSSO in Fortinet workd?

[JesperAP]

So basically your are looking for a way to apply firewall filters based on AD Group membership? Something as FSAE/FSSO in Fortinet workd?

Yes, this is exactly what I mean. We currently have fortinet but it is way too expensive

[bazbaz]

I think that there isn't a service that can perform what FASE does.
The only way I can imagine is a user authentication on the PFSense, then you know the user and can apply rules.

[shade_ch]

The way I have it working now is a different OpenVPN server and access server per security group but I don't want to make new OpenVPN and access servers if I need to create a new AD group...

Is it even possible to do with OPNsense in a better more scalable way?

None I am aware of. However did you have a look at https://openvpn.net/access-server/ (https://openvpn.net/product-comparison/ for feature details) ? it seems that you can map AD groups to access groups (https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/ or https://openvpn.net/vpn-server-resources/integrating-active-directory-with-access-server-using-radius-and-post_auth/).