VPN: SSL VPN profiles
Like in IPSec RoadWarrior VPN, give the SSL VPN RoadWarrior configuration the possibility to make different groups, so you can assign different settings to SSL VPN users. These differences can be: IP range to distribute addresses from (or use the Fixed Address possibility), DNS servers, Policies, ...
bram kortleven
shared this idea
This feature has been released as part of UTM 9.1. Enjoy!
18 comments
-
Mirko
commented
i need a option to allow login only with a specified source-ip adress for each user seperatly
-
Andreas
commented
i guess the votes from http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/178371-remoteaccess-static-ip-for-ssl-vpn should be added to this requests because it's a subset
-
Massimo Dalla Giustina
commented
Hi graspi, interesting but non praticable because this violate the license and configuration will be deleted (as you said).
For Angelo Comazzetto, what you are suggesting it is just what we can do now but if I have several networks behind my firewall and several openvpn users and usually a user need to access to only one network, unfortunately (at this state of art) every openvpn user can understand and see (doing route print) all the networks configured on the openvpn service and this is not a good thing....
-
graspi
commented
You can do this from the console in
/var/sec/chroot-openvpn/etc/openvpn/server
just create a file (e.g. vi admin) and insert users push configuration
like this:
push-reset
push "dhcp-option DOMAIN tld.local"
push "dhcp-option DNS 192.168.256.1"So now you have an individually SSL VPN configuration a User.
Beware: if you change something on the Webinterface Remote SSL Configurration, you must reapply the user configuration. It will be deleted.
-
Ray Lock
commented
This is a very useful and ultimately sales winning function
-
Vivek Rajput
commented
Yes... it is very good..!! Please add this feature..!!
-
friesenjung
commented
Yes, and please make it possible to include autogenerated batch-files. I mean the ..._up.bat and ..._down.bat to connect net drives etc....
-
Anonymous
commented
This must based on backend membership groups (eDirectory).
-
Massimo Dalla Giustina
commented
Yes Gabriele, using FULL NAT could be a workaround but not so elegant like a profile solution...I hope for some votes. Thanks for your interest.
-
Massimo Dalla Giustina
commented
Maybe I was not so clear but the problem is not the possibility to create packet filter rules for each remote users (it is what I already did).
This feature request comes from my experience. My OpenVPN configuration has several remote users with several local network but not all local networks are needed by all users. Usually the relation between users and network is N:1 but without profiles the relation is N:M. Obviously every remote user can use the resources granted by packet filter rules but, the question here is another: every remote user (usually external consultants) can see, understand and known my internal networks. IMHO introducing a profile configuration could solve the problem.... -
GabrieleM
commented
I do understand your concern.. Waiting for another comments and votes, let me suggest meanwhile to you to use to FULL NAT to hide to your remote users the real subnets that you have in your network. I'm aware that is a workaround that at least something doable right now ;-)
-
Massimo Dalla Giustina
commented
Gabriele, I already done what you are suggesting...it's the minimun I can do.
Instead the problem is when a remote user connects to OpenVPN. The openvpn client creates each route for every network declared on the remote access settings.
The remote user can potentially know all my internal netwoks even if he need only one...for me, this is a security issue. -
GabrieleM
commented
You can achieve the same goal configuring packet filte rules per user since it's doable in this case because Middleware maps the user's ip address
-
Jan Willem Heuver
commented
And to assign an DHCP server like the option in PPTP.
-
Francois Delpierre
commented
The profile should be specified by the RADIUS server when using Radius.
-
Some of the comments here differ from the original requests. It is already possible to specifically state what a user or group of them can access over the SSL VPN, simply disable the auto-packet filter, then make your own rules in the packet filter section using the appropriate user or group object as to what IP's they can visit, on what ports.
-
Mustafa Nasser
commented
Same problem here. We are unable to use VPN because everybody gets the same rights. I need to be able to set different policies for different users or IPs and define what specific services one can access on the destination server.
-
ars
commented
this would be great! we cannot use ssl-vpn cause everybody gets the same rights which is unwanted.
