RemoteAccess: Static IP for SSL-VPN
PPTP and IPsec vpn both support static virtual ip addressess assigned. Customers want to have this feature also for SSL-VPN. This way, internal users can access resources that are connected by SSL-VPN, like the printer attached to the laptop connected via Remote ACcess
I would suggest that a SSL VPN User get everytime the same IP-Address from the openVPN Server. The DNS entry is than valid, to the name of the user. Also we can set some rules for this user in the Paketfilter.
This feature is included in the upcoming release, code-named Project Copernicus. It is currently in public beta. For more details, please see https://www.astaro.org/beta-versions/project-copernicus-public-beta
Disable the the automatic firewall rule on the SSL-VPN option. and than manually configure the firewall for user on host/network basis
Stavros Stavrinos commented
We want to enable remote users to access a system which works with specific IP addresses and
Bardel Patrick commented
This is very important to us!
The DNAT/SNAT Workaround is very time consuming with about 200Clients...
NAT is as always not a solution but a ugly workaround (depends highly on the used protocols)
It should't be a huge effort to implement this "correctly" since openvpn provides the client-config-dir option.
Already "implemented" this on ASG320 cluster on console by editing client-config-dir in /var/sec/chroot-openvpn/etc/openvpn/openvpn.conf-default and create a ccd-file for each user which needs a static tunnel ip address or any other special openvpn options. Also implemented that this files are synchronized within the cluster.
Works like a charm but of course it's not update-proven.
Timm Schneider commented
NAT in my eyes is deprecated to look forward to ipv6. I don´t use NAT because i got an official /24 Network. I work with VoIP-Systems and there is NAT not helpful. What i ment was that the DNS entries are valid that means the A and PTR Records let´s say vpn1.tms-it.net or something else. At this moment you can see who was on the Website and so on, otherwise everybody can be. I think that you can get straight to all Network things a fix IP-Address is important.
folz Support commented
A static IP for SSL users is a good idea, but you can use the "User network" element to create packet filters for each VPN user, no matter if it's SSL, IPsec or anything else. If you want static IP for SSL users, you can create NAT rules that translate the respective "User network" element to an static IP. That's only a workaround, but better than nothing.
Elmar Haag commented
You can already achieve to supply a SSL VPN user with a "pseud-fixed" IP by using some SNAT and/or FULL NAT rules which map the dynamic IP of the SSL VPn user to a fixed statix IP. It is working fine, but of course a bit of administrative work if you have MANY SSL VPN users
Sigurd Urdahl commented
Giving SSL-VPN users a static IP like we can with L2T would be _really-really-really_ nice. Unfortunately at some customers there are access restrictions based on IP on "internal equipment", being able to seperate between my VPN users is sometimes crucial and forces the use of L2TP.
Benjamin Schwitzer commented
Here is the problem that the two nodes writes it’s own /var/sec/chroot-openvpn/var/run/ipp.txt. In a failover case the client becomes a different ip-address. It’s a good idea to synchronize this file over the HA heartbeat (first step).