Block VPN connection for the admin account

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
relion
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 12, 2019 3:24 pm

Block VPN connection for the admin account

Post by relion » Tue Aug 13, 2019 12:23 pm

Hello,

I have an OpenVPN Access Server configured on a corporate network.

I turned off port sharing on 443 for the admin web server so it's not accessible from the Internet. (I access it through port 943 from the LAN)

However, the admin account can still be used to access the Client Web Server to obtain a VPN connection.

Is there a way to disable VPN access for the admin account? In other words, I'd like the admin account to be an admin only account with no VPN access.

Thank you!
Brian

Kevmeister68
OpenVpn Newbie
Posts: 1
Joined: Thu Jun 03, 2021 1:39 am

Re: Block VPN connection for the admin account

Post by Kevmeister68 » Thu Jun 03, 2021 1:41 am

Anyone have an answer on this? I realise the server has automatic lockout, but ideally you should not be able to establish a VPN tunnel using admin credentials full-stop. Since it bypasses 2FA its desirable to be able to shut that down completely.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Block VPN connection for the admin account

Post by chilinux » Sun Jun 06, 2021 7:36 pm

The easiest way to limit the VPN access of the admin account is to set the network Access Control.

Go to the User Management -> User Permissions -> admin user -> More Settings -> Access Control.

Then set "Allow Access To these Networks" to a meaningless location such as: 127.254.254.254/32

While the admin user will still be able to establish a VPN tunnel, it won't be permitted to go anyplace.

To more strictly prohibit the admin account, install a post_auth_script such as:

Code: Select all

from pyovpn.plugin import *

def post_auth_cr(authcred, attributes, authret, info, crstate):
    if authcred.get('username').lower()  in ('admin'):
        authret['status'] = FAIL
        authret['reason'] = "Username rejected by policy"
    else:
        authret['status'] = SUCCEED
        authret['reason'] = "Username accepted by policy"
    return authret
You will also have to use sacli to use the post_auth_script as explained in this document:
https://openvpn.net/vpn-server-resource ... -examples/

It is also possible to enable Google Authenticator on the admin account so that there is no 2FA bypass.

Post Reply