Configure OpenVPN to restrict access to users, servers and services

Frank McCourryV.P. Holland Computers, Inc.
CERTIFIED EXPERT
Published:
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to only use certain services on your network?  Furthermore, what if you want to use the same OpenVPN server to allow yourself or employees full access to the network while giving your customers restricted access?  I’ve got a solution for you!

My example comes from the need to provide a group of customers with access to our MSSQL Database Server without exposing that server to the internet and potential attacks.  We also have a need for myself and other network administrators to be able to use a VPN to gain full access to this network.  My solution is the following OpenVPN configuration:

Assuming that OpenVPN installation is completed and working with defaults and using PAM authentication on an Ubuntu Server.

CREATE USER ACCOUNTS ON THE SERVER
From a terminal session add the users you will be granting VPN access to.  There is no need to assign groups or permissions, only the username and password are needed.

#sudo useradd username
#sudo passwd username

Easy enough, now let’s log on to the web interface for our OpenVPN Server

CONFIGURE OPENVPN SERVER

    VPN Settings
        Dynamic IP Address Network
            Create a network to be assigned to administrative users.*
            *Users or Groups marked as Admin will not be assigned a group IP address, instead will use address from pool created on VPN SETTINGS> VPN IP Network
        Static IP Address Network (Optional) – Leave Blank
        Group Default IP Address Network (Optional) – Leave Blank
        Should VPN clients have access to private subnets (non-public networks on the server side)? = No
        Should client Internet traffic be routed through the VPN? = No
        Should clients be allowed to access network services on the VPN gateway IP address? = No
        DNS Settings = Do not alter clients’ DNS server settings
        Default Domain Suffix (optional) – Leave Blank

    Advanced VPN Settings
        Inter-Client Communication
        Should clients be able to communicate with each other on the VPN IP Network? = No
        Leave all other settings at defaults unless you need to change them

    Create Groups in OpenVPN
    Group Permissions Menu

        Admin
            Check Admin Box
            All other settings default
            *Users or Groups marked as Admin will not be assigned a group IP address, instead will use address from pool created on VPN SETTINGS> VPN IP Network

    Employees
        DO NOT check Admin box
        Subnets assigned to this group
            192.168.50.0/24 <- this can be anything you want, just make sure it does not match any of your own networks or subnets from other groups
        Dynamic subnet ranges for this group
            192.168.50.0-192.168.50.255 <- This must be a range within the Subnets assigned to this group.
        Access Control
            Use Access Control = Yes
            Allow Access to Networks and Services <- Set this to your entire network you want employees to be able to access
                format: 10.100.100.0/24

    DBServer_Access
        DO NOT check Admin box
        Subnets assigned to this group
            192.168.51.0/24 <- this can be anything you want, just make sure it does not match any of your own networks or subnets from other groups
         Dynamic subnet ranges for this group
            192.168.51.0-192.168.51.255 <- This must be a range within the subnets assigned to this group.
         Access Control
            Use Access Control = Yes
            Allow Access to Networks and Services <- Set this to allow access to servers and services.
                format: 10.100.100.20/32:tcp/1433 <- this will limit access to only this server and only MSSQL.

            DENY
                DO NOT check Admin box
                Check Deny Access Box

    Set Default Group Permissions to use for any User not in any Group to DENY

Adding Users

    Add username to OpenVPN config and assign to group
        User Permissions Menu
            Add a new user and assign to a group you created according to the level of access you want to grant.
            DO NOT check the Admin box for any user that will need access to any network resources.  Admin is reserved for web administration and will not be able to access anything on your network with this config.

After all of this, your database users should only have access to your database servers and your employees should be able to access any services on the network.  My advice is TEST, TEST, TEST and then TEST again!

Enjoy!
This article is a re-post of my original article found at xpertnotes.net, my personal blog.
0
1,211 Views
Frank McCourryV.P. Holland Computers, Inc.
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.