Allow particular user to access only one port on particu

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Nubia
OpenVpn Newbie
Posts: 1
Joined: Thu Jan 27, 2022 6:56 am

Allow particular user to access only one port on particu

Post by Nubia » Thu Jan 27, 2022 6:57 am

I would like to allow client 1 access to the service on port eg 1234, and client 2 access to port eg 5678. Ip address is the same.

192.168.0.16:1234 <- access only for clinet 1
192.168.0.16:5678 <- access only for client 2

Is this possible?

chilinux
OpenVPN Power User
Posts: 154
Joined: Thu Mar 28, 2013 8:31 am

Re: Allow particular user to access only one port on particu

Post by chilinux » Thu Jan 27, 2022 12:51 pm

Short/Best answer should be:
What are you trying to achieve by doing this?

I know, this is more of a question than an answer so ...

The long overly complex answer is this:

OpenVPN AS is made up of three network services, a web interface to get the OpenVPN configuration file and then the OpenVPN services on both TCP and UDP.

Manipulating the product to require a specific user to go to a specific port to log into the web interface isn't something I can think of a way of doing. Regardless of which port is used to login to the web interface, OpenVPN AS is going to return a configuration script that references the ports it is actually running OpenVPN services rather than your expected per user/port associations. I can't think of a way to change that other than to distribute the configuration files after manual modification.

As to the VPN sessions themselves on TCP/UDP, it could be technically possible to do something like this. You could expose the additional ports to run the VPN services on using iptables. However, the OpenVPN AS product works best if you don't do any manipulation of iptables directly so this would likely be considered an unsupport scenario. Then you could write a post_auth script which is handed the username and "client_ip_addr" in the authcred dictionary. This python script could then run "ss" to determine if the client's IP address has a connection to the expected port for the user. But adding an execution of ss external process into a post_auth script is going to be messy and may introduce problems that make thing unreliable. Hence I don't recommend actually attempting to do this.

Bottom line at this point is the product is not intended to be used this way and you are going to be bending it almost to the point of breaking to try to achieve this. You seem to be trying to achieve additional "security" through obscurity. Ultimately, I don't think any additional security will be gained doing this.

All of this leads back to my original question: what are you trying to achieve?

It may be possible what you are trying to do can be done a different way or from a security stand point is already being achieved.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 661
Joined: Tue Feb 16, 2021 10:41 am

Re: Allow particular user to access only one port on particu

Post by openvpn_inc » Thu Jan 27, 2022 3:35 pm

Nubia wrote:
Thu Jan 27, 2022 6:57 am
I would like to allow client 1 access to the service on port eg 1234, and client 2 access to port eg 5678. Ip address is the same.

192.168.0.16:1234 <- access only for clinet 1
192.168.0.16:5678 <- access only for client 2

Is this possible?
Hi Nubia,

In addition to chilinux's questions, I'd also wonder why you're connecting via a "private" RFC 1918 address?

If these clients are connecting in from outside, going through a NAT router, you could set up firewall rules to manage these access restrictions, and forward the appropriate destination ports to the corresponding ports on the Access Server. Probably not trivial, and definitely not within the scope of OpenVPN support.

Similarly, this might be done with restricted iptables nat/REDIRECT rules on the Access Server. Again not trivial.

Another thing to add: 192.168.0.0/23 networks (including 0.0/24 and 1.0/24 networks) are the most common choices for off-the-shelf consumer router devices. Change to a less used network address if you plan to connect to it via VPNs.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply