OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap. By default the software is configured to allow open access to your network. But what if you want to restrict users to only use certain services on your network? Furthermore, what if you want to use the same OpenVPN server to allow yourself or employees full access to the network while giving your customers restricted access? I’ve got a solution for you!
My example comes from the need to provide a group of customers with access to our MSSQL Database Server without exposing that server to the internet and potential attacks. We also have a need for myself and other network administrators to be able to use a VPN to gain full access to this network. My solution is the following OpenVPN configuration:
Assuming that OpenVPN installation is completed and working with defaults and using PAM authentication on an Ubuntu Server.
CREATE USER ACCOUNTS ON THE SERVER
From a terminal session add the users you will be granting VPN access to. There is no need to assign groups or permissions, only the username and password are needed.
#sudo useradd username
#sudo passwd username
Easy enough, now let’s log on to the web interface for our OpenVPN Server
CONFIGURE OPENVPN SERVER
VPN Settings
Dynamic IP Address Network
Create a network to be assigned to administrative users.*
*Users or Groups marked as Admin will not be assigned a group IP address, instead will use address from pool created on VPN SETTINGS> VPN IP Network
Static IP Address Network (Optional) – Leave Blank
Group Default IP Address Network (Optional) – Leave Blank
Should VPN clients have access to private subnets (non-public networks on the server side)? = No
Should client Internet traffic be routed through the VPN? = No
Should clients be allowed to access network services on the VPN gateway IP address? = No
DNS Settings = Do not alter clients’ DNS server settings
Default Domain Suffix (optional) – Leave Blank
Advanced VPN Settings
Inter-Client Communication
Should clients be able to communicate with each other on the VPN IP Network? = No
Leave all other settings at defaults unless you need to change them
Create Groups in OpenVPN
Group Permissions Menu
Admin
Check Admin Box
All other settings default
*Users or Groups marked as Admin will not be assigned a group IP address, instead will use address from pool created on VPN SETTINGS> VPN IP Network
Employees
DO NOT check Admin box
Subnets assigned to this group
192.168.50.0/24 <- this can be anything you want, just make sure it does not match any of your own networks or subnets from other groups
Dynamic subnet ranges for this group
192.168.50.0-192.168.50.25
5 <- This must be a range within the Subnets assigned to this group.
Access Control
Use Access Control = Yes
Allow Access to Networks and Services <- Set this to your entire network you want employees to be able to access
format: 10.100.100.0/24
DBServer_Access
DO NOT check Admin box
Subnets assigned to this group
192.168.51.0/24 <- this can be anything you want, just make sure it does not match any of your own networks or subnets from other groups
Dynamic subnet ranges for this group
192.168.51.0-192.168.51.255 <- This must be a range within the subnets assigned to this group.
Access Control
Use Access Control = Yes
Allow Access to Networks and Services <- Set this to allow access to servers and services.
format: 10.100.100.20/32:tcp/1433 <- this will limit access to only this server and only MSSQL.
DENY
DO NOT check Admin box
Check Deny Access Box
Set Default Group Permissions to use for any User not in any Group to DENY
Adding Users
Add username to OpenVPN config and assign to group
User Permissions Menu
Add a new user and assign to a group you created according to the level of access you want to grant.
DO NOT check the Admin box for any user that will need access to any network resources. Admin is reserved for web administration and will not be able to access anything on your network with this config.
After all of this, your database users should only have access to your database servers and your employees should be able to access any services on the network. My advice is TEST, TEST, TEST and then TEST again!
Enjoy!
This article is a re-post of my original article found at xpertnotes.net, my personal blog.
Comments (0)