Table of Contents
PFSense - VPN - OpenVPN - Timed access for OpenVPN
Limit the access of users who connect through OpenVPN.
Access Schedule for OpenVPN users
To allow access of our users only in specific time intervals it is necessary to create a schedule:
Navigate to Firewall → Schedules.
Click the Add button.
In Schedule Information:
- Schedule Name: OpenVPN_Allowed. Give a name to the schedule.
- Description: OpenVPN Allowed Access. Provide a useful description.
- Month: Select the month to apply it to.
- Date: Select the days on the calendar to apply.
- Time: Select the time range to apply.
- Click Add Time.
NOTE: Repeat the procedure to add additional date/time ranges to this schedule.
All created ranges will be displayed under Configured Ranges.
Assign Individual IPs to OpenVPN users
In order to implement the scheduling created in the Firewall Rules, it is necessary to assign a very specific static IP address of the VPN tunnel to the users we want to limit.
- This is necessary because the firewall manages the rules via IP addresses.
To assign a static IP address to the user:
- Navigate to VPN → OpenVPN → Client Specific Overrides.
- Click the Add button.
In the configuration screen that will appear, it will be sufficient to configure only 2 items:
- Server List: Select the OpenVPN Server to associate this with.
- Common Name: The name of the VPN user.
- Advanced:
ifconfig-push 10.20.30.69 255.255.255.0
NOTE: See: Assign a fixed IP to a remote client.
The format for the Advanced entry is: ifconfig-push [IP_TUNNEL] [NETMASK], where:
- IP_TUNNEL: will be the IP address of the tunnel that we would like to be assigned to the user.
- NETMASK: The network mask to apply.
Repeat the procedure for each user to be managed.
Create Firewall Rules
Navigate to Firewall → Rules.
Select the OpenVPN interface.
Click Add button to create a new rule to be placed at the top.
- Action: Pass.
- Interface: OpenVPN.
- Address Family: IPv4.
- Protocol: Any.
- Source: Single host or alias 10.20.30.69. This is the IP address belonging to the VPN Tunnel network defined previously and assigned to the user concerned.
- Destination: Single host or alias 192.168.1.123. The IP address of the server to which we want to restrict the user’s connection.
- Advanced Options: In the Schedule, Select the Schedule created previously.
NOTE: This allows a user who connects to the VPN with the IP address of the Tunnel 10.20.30.69 to access only the server 192.168.1.123 during the time range established in the scheduling.
Repeat the procedure for each user to whom you want to grant access to the server at a certain time range.
To prevent the user from accessing other devices on the network, an additional rule that blocks access to everything should be placed UNDER the previously created access rules and associated with it.
- Navigate to Firewall → Rules.
- Action: Block.
- Interface: OpenVPN.
- Address Family: IPv4.
- Protocol: Any.
- Source: Single host or alias 10.20.30.69. This is the IP address belonging to the VPN Tunnel network defined previously and assigned to the user concerned.
- Destination: LAN net.
NOTE: The Firewall Rules will show under the Schedule column a symbol which will change color between Green and Yellow.
- Green indicates this is in scheduling range and therefore there will be access.
- Yellow indicates this is out of the scheduling range and therefore there will not be access.