Creating personalized firewall rules for VPN users

[woo]

and Hi again..
Since I couldn't find useful hints on the wiki, I'll have to ask here..
Is there any method to..
a) assign static IPs to each OpenVPN client, or
b) use the VPN username in a firewall rule?
I've got quite a lot of road warriors, and need to limit their access to internal systems based on either username or department/group membership, same as it's done on the LAN already. Does OPNsense have a solution for that?

Regards
~woo

[woo]

a) assign static IPs to each OpenVPN client, or

so, I got this part working via the console, using OpenVPN's "ifconfig-push" directive in the client-config-dir /var/etc/openvpn-csc/1, but I'm not sure how persistent this is across server config changes, or whether this directory will be rewritten every now and then. Testing continues...

[franco]

Hi woo,

You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).


Cheers,
Franco

[woo]

You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).

How?
That field is global for the whole VPN server instance - I need a different setting (IP) for every single user..

I couldn't find anything like a "match user" directive for the OpenVPN config..

This might be something that could go onto the user profile page, though..

[franco]

There is a field for the VPN server instance. There is also one for each CSC (Client-specific configuration / override) that you create.

[woo]

Thanks a lot for that info! Somehow I didn't realize that the "client specific overrides" are the CSCs described in the OpenVPN documentation.. I had this mentally connected to the OpenVPN Client section just above it.

The X509 Common Name is just the OpenVPN username?

[franco]

Theoretically, yes. Technically, no. It's the common name in the user's client certificate that is matched against


Cheers,
Franco

[woo]

... the client certificate that is included in the OpenVPN profile, exported by OPNsense...?
so, what do I put in there?

[franco]

Typically the name of the user, a real name, a serial number, etc. It really depends on what you did put in. I've attached a screenshot where you can find the Common Names.