[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Securing Openvpn with IP based rules, need help!


  • Subject: Re: [Openvpn-users] Securing Openvpn with IP based rules, need help!
  • From: "Brett Serkez" <bserkez@xxxxxxxxx>
  • Date: Wed, 30 May 2007 08:02:04 -0400

> We have here a solution with openvpn in bridge mode. now we have two
> groups of vpn users. the fist group withe the ip range 192.168.2.100-200
> is used by all employees and the second group has the ip range
> 192.168.2.200-254 which is used by our partner organization.
> <snip>
> but now the problem: when e member of the second group change his ip
> manual after connecting (example: from 192.168.2.201 to 192.168.2.102)
> the user bypass the firewall rule and he can act as an user from the
> first group.
>
> now my question: is it possible to make the vpn connection unusable when
> the client change his ip manual or to forbid that the client user can
> change his ip? or any other ideas how i can separate this two groups?

I would think you'd want to run the two groups on separate OpenVPN
instances with distinct subnet nets and certificates.

For instance if you broke the subnets up into 192.168.2.0 and
192.168.3.0 the visual distinction as well as the routing and firewall
rules would be explicit and less prone to misconfiguration.  This
would allow you to setup explicit rules for each subnet, explicit
routes for each subnet that included or excluded specific servers and
perhaps most importantly inhibit the ability for individual systems to
change their ip between the subnets.
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users