Creating personalized firewall rules for VPN users

Started by woo, August 03, 2016, 03:38:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 03, 2016, 03:38:06 PM
and Hi again..
Since I couldn't find useful hints on the wiki, I'll have to ask here..
Is there any method to..
a) assign static IPs to each OpenVPN client, or
b) use the VPN username in a firewall rule?
I've got quite a lot of road warriors, and need to limit their access to internal systems based on either username or department/group membership, same as it's done on the LAN already. Does OPNsense have a solution for that?

Regards
~woo
August 04, 2016, 11:44:50 AM #1
Quote from: woo on August 03, 2016, 03:38:06 PMa) assign static IPs to each OpenVPN client, or
so, I got this part working via the console, using OpenVPN's "ifconfig-push" directive in the client-config-dir /var/etc/openvpn-csc/1, but I'm not sure how persistent this is across server config changes, or whether this directory will be rewritten every now and then. Testing continues...
August 04, 2016, 01:03:15 PM #2
Hi woo,

You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).


Cheers,
Franco
August 04, 2016, 01:54:12 PM #3
Quote from: franco on August 04, 2016, 01:03:15 PMYou can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).
How?
That field is global for the whole VPN server instance - I need a different setting (IP) for every single user..

I couldn't find anything like a "match user" directive for the OpenVPN config..

This might be something that could go onto the user profile page, though..
August 04, 2016, 03:50:44 PM #4
There is a field for the VPN server instance. There is also one for each CSC (Client-specific configuration / override) that you create. :)
August 05, 2016, 12:39:34 PM #5
Thanks a lot for that info! Somehow I didn't realize that the "client specific overrides" are the CSCs described in the OpenVPN documentation.. I had this mentally connected to the OpenVPN Client section just above it.

The X509 Common Name is just the OpenVPN username?
August 07, 2016, 11:24:12 AM #6
Theoretically, yes. Technically, no. It's the common name in the user's client certificate that is matched against


Cheers,
Franco
August 08, 2016, 10:39:34 AM #7
... the client certificate that is included in the OpenVPN profile, exported by OPNsense...?
so, what do I put in there?
August 09, 2016, 10:01:36 AM #8
Typically the name of the user, a real name, a serial number, etc. It really depends on what you did put in. I've attached a screenshot where you can find the Common Names.
Print
Go Up Pages1
User actions