Restrict OpenVPN access for certain user to only certain IP in the local network


I have a contractor that will need access to our Xen Orchestra web interface.
Currently XOA is only accessible via vpn and we have no intention to make it publicly accessible.

I created a simple pfSense user no admin right so they can use OpenVPN to access our network.
When I tested it, that user can see the entire network the same way I do because on my OpenVPN server config I have set all our subnet in the ‘IPv4 Local network(s)’ field to I can manage it all.

How can I force this user to only see the Xen Orchestra IP once connected to the VPN?

Thank you all in advance

If you have pfSense why don’t you just spin up another RAS and restrict it to what you want via the rules.

If you go via users then you have a good chance of messing it up.

We do this by setting up pfsense and the free radius plugin that will assign users an IP address then creating rules for that IP that restrict them to only the things you want them to have access to.

What is RAS? I never heard of the term

@LTS_Tom thank you very much.
Watching video now :slight_smile:

I assume @neogrid is suggesting a separate “Remote Access Server” which to me sounds like a more complex and less efficient way to do this.

Yes it stands for Remote Access Server, that’s how OpenVPN refer to it.

Actually using a Radius user sounds better, you can combine it with 2FA and assign the user it’s own IP address and to a vlan, I didn’t think of that.

@LTS_Tom I watched the video and its exactly what I wanted. Thank you
I currently have a vpn server using ‘Local Database’, is it simply a matter of selecting the ‘RadServer’ backend for it to work?

Managed to get it to work perfectly.
Thank you

1 Like