Guide

pfSense and OpenVPN: timed access for OpenVPN and limitations on the LAN

Objective of this guide:

In this guide we will see how to limit, and thus make more limited the access of users who connect from the outside in VPN via our pfSense to the LAN.

By means of a time schedule, it will be possible to limit the accesses of the clients that connect with OpenVPN and create restrictions on the accesses of the individual servers and devices.

Used Hardware:

This guide can be applied to all the hardware certified by us of the firewall line that you can find here: https://www.miniserver.it/firewall.html

Software environment:

pfSense® 2.4.x

Access Schedule for OpenVPN users:

To allow access of our users only in a time interval it is necessary to create a schedule that will be useful to us on several occasions.

    1. We proceed by going to Firewall / Schedules / and press the Add button.
    2. In “Schedule Name” it is necessary to give a name to our schedule.
    3. At this point we will select the month to apply it and the days by clicking on the single day of the calendar,
    4. select the time range and click on “Add Time”.
    5. Repeat the procedure to add another time / date range to be assigned to this schedule.
    6. All created ranges will be displayed under “Configured Ranges.
OpenVPN pfSense Accessi a Tempo

Here’s what our completed schedule will look like.

OpenVPN pfSense Accessi a Tempo

At this point, in order to implement the scheduling created in the Firewall Rules, it is necessary to assign a very specific static IP address of the VPN tunnel to the user / s we want to limit.

This is necessary because the firewall manages the rules via IP addresses.

To assign a static IP address to the user, we will proceed as follows:

  • go to VPN/OpenVPN/Client Specific Overrides and press the “Add” button

In the configuration screen that will appear, it will be sufficient to configure only 2 items:

  • “Common Name”: the name of the VPN user
OpenVPN pfSense Accessi a Tempo
  • “Advanced”: we will have to insert the following string ifconfig-push [IP_TUNNEL] [NETMASK]

Where IP_TUNNEL will be the IP address of the tunnel that we would like to be assigned to the user.

OpenVPN pfSense Accessi a Tempo

We repeat the procedure for each user we are interested in managing.

Access management and restriction for OpenVPN users
We can now implement our schedule created previously in the Firewall Rules to regulate user access and limit or allow access to individual servers.

It will be explained how to allow access to a server at a certain time, only to a specific user who connects via VPN
Let’s start by going under Firewall / Rules and positioning ourselves under the “OpenVPN” interface, press the “Add” button to create a new rule to be placed at the top.

Select “Any” as protocol and in “Source” enter the IP address belonging to the VPN Tunnel network defined previously and assigned to the user concerned.

In “destination” we can enter in “Single host or alias” the IP address of the server to which we want to restrict the user’s connection.

OpenVPN pfSense Accessi a Tempo

Finally, let’s position ourselves on “Advanced Options” and in the “Schedule” item select the Schedule created previously.

OpenVPN pfSense Accessi a Tempo

In this way we have allowed the user “john” who connects in VPN with the IP address of the Tunnel 10.20.30.20 to access only the server 192.168.2.55 during the time range established in the scheduling.

We can repeat the procedure for each user to whom we want to grant access to the server at a certain time range.

At this point, to prevent the user from accessing other devices on the network, we create a rule that blocks access to everything. This rule must be placed UNDER the previously created access rules and associated with it.

OpenVPN pfSense Accessi a Tempo

Here is how the created rules will appear, to note that the symbol in correspondence with the “schedules” is green if at that moment we meet the rules described in our schedule.

OpenVPN pfSense Accessi a Tempo

It will be yellow instead when we are out of the scheduling range and therefore you will not have access.

OpenVPN pfSense Accessi a Tempo
  ti posso interessare anche