Hello,
I have group A and group B in openvpn-as. Group A has full access to the LANs.
The value of "access_to.0" and value of "access_to.1" for group B are respectively "+ROUTE:0.0.0.0/0:tcp/3389" and "-ALL"
Users are by default in group B.
I would like to be able to configure openvpn-as to consider a user (user 1) connecting from an authorized device as being in group A.
I would like to be able to configure openvpn-as to consider user 1 connecting from an unauthorized device as being in group B.
I tried configuring openvpn-as to promote user 1 connections from an authorized device to group A with a post-auth script.
However, "GROUP_SELECT=True" breaks autologin connections and "GROUP_SELECT=False" results in no promotion.
With a regular openvpn server, I had used "learn-address" to do dynamic firewall rules for each connection.
Is there a way to do the promotion of user 1 connections from an authorized device to group A while not doing said promotion when user is connecting from an unauthorized device?
Dynamic group assignment to facilitate dynamic firewall rules
-
ksebion
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Dec 28, 2016 7:16 pm
-
ksebion
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Dec 28, 2016 7:16 pm
Re: Dynamic group assignment to facilitate dynamic firewall rules
The post-auth script wasn't working for me due to a logic error in my code.
For anyone wondering, setting authret['proplist']['conn_group'] to a group when a client matches criteria is enough for a firewall rule from said group to take effect.
In other words, I did not need to use proplist_save or "GROUP_SELECT = True".
For anyone wondering, setting authret['proplist']['conn_group'] to a group when a client matches criteria is enough for a firewall rule from said group to take effect.
In other words, I did not need to use proplist_save or "GROUP_SELECT = True".