Configuring client-specific rules and access policies
Suppose we are setting up a company VPN, and we would like to establish separate access policies for 3 different classes of users:
- System administrators -- full access to all machines on the network
- Employees -- access only to Samba/email server
- Contractors -- access to a special server only
The basic approach we will take is (a) segregate each user class into its own virtual IP address range, and (b) control access to machines by setting up firewall rules which key off the client's virtual IP address.
In our example, suppose that we have a variable number of employees, but only one system administrator, and two contractors. Our IP allocation approach will be to put all employees into an IP address pool, and then allocate fixed IP addresses for the system administrator and contractors.
Note that one of the prerequisites of this example is that you have a software firewall running on the OpenVPN server machine which gives you the ability to define specific firewall rules. For our example, we will assume the firewall is Linux iptables.
First, let's create a virtual IP address map according to user class:
| Class | Virtual IP Range | Allowed LAN Access | Common Names |
| Employees | 10.8.0.0/24 | Samba/email server at 10.66.4.4 | [variable] |
| System Administrators | 10.8.1.0/24 | Entire 10.66.4.0/24 subnet | sysadmin1 |
| Contractors | 10.8.2.0/24 | Contractor server at 10.66.4.12 | contractor1, contracter2 |
Next, let's translate this map into an OpenVPN server configuration. First of all, make sure you've followed the steps above for making the 10.66.4.0/24 subnet available to all clients (while we will configure routing to allow client access to the entire 10.66.4.0/24 subnet, we will then impose access restrictions using firewall rules to implement the above policy table).
First, define a static unit number for our tun interface, so that we will be able to refer to it later in our firewall rules:
dev tun0In the server configuration file, define the Employee IP address pool:
server 10.8.0.0 255.255.255.0Add routes for the System Administrator and Contractor IP ranges:
route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a client configuration directory:
client-config-dir ccdNow place special configuration files in the ccd subdirectory to define the fixed IP address for each non-Employee VPN client.
ccd/sysadmin1
ifconfig-push 10.8.1.1 10.8.1.2ccd/contractor1
ifconfig-push 10.8.2.1 10.8.2.2ccd/contractor2
ifconfig-push 10.8.2.5 10.8.2.6Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]This completes the OpenVPN configuration. The final step is to add firewall rules to finalize the access policy. For this example, we will use firewall rules in the Linux iptables syntax:
# Employee rule
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.66.4.4 -j ACCEPT
# Sysadmin rule
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.66.4.0/24 -j ACCEPT
# Contractor rule
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.66.4.12 -j ACCEPT