Hello,
I have an OpenVPN Access Server configured on a corporate network.
I turned off port sharing on 443 for the admin web server so it's not accessible from the Internet. (I access it through port 943 from the LAN)
However, the admin account can still be used to access the Client Web Server to obtain a VPN connection.
Is there a way to disable VPN access for the admin account? In other words, I'd like the admin account to be an admin only account with no VPN access.
Thank you!
Brian
Block VPN connection for the admin account
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Aug 12, 2019 3:24 pm
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jun 03, 2021 1:39 am
Re: Block VPN connection for the admin account
Anyone have an answer on this? I realise the server has automatic lockout, but ideally you should not be able to establish a VPN tunnel using admin credentials full-stop. Since it bypasses 2FA its desirable to be able to shut that down completely.
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Block VPN connection for the admin account
The easiest way to limit the VPN access of the admin account is to set the network Access Control.
Go to the User Management -> User Permissions -> admin user -> More Settings -> Access Control.
Then set "Allow Access To these Networks" to a meaningless location such as: 127.254.254.254/32
While the admin user will still be able to establish a VPN tunnel, it won't be permitted to go anyplace.
To more strictly prohibit the admin account, install a post_auth_script such as:
You will also have to use sacli to use the post_auth_script as explained in this document:
https://openvpn.net/vpn-server-resource ... -examples/
It is also possible to enable Google Authenticator on the admin account so that there is no 2FA bypass.
Go to the User Management -> User Permissions -> admin user -> More Settings -> Access Control.
Then set "Allow Access To these Networks" to a meaningless location such as: 127.254.254.254/32
While the admin user will still be able to establish a VPN tunnel, it won't be permitted to go anyplace.
To more strictly prohibit the admin account, install a post_auth_script such as:
Code: Select all
from pyovpn.plugin import *
def post_auth_cr(authcred, attributes, authret, info, crstate):
if authcred.get('username').lower() in ('admin'):
authret['status'] = FAIL
authret['reason'] = "Username rejected by policy"
else:
authret['status'] = SUCCEED
authret['reason'] = "Username accepted by policy"
return authret
https://openvpn.net/vpn-server-resource ... -examples/
It is also possible to enable Google Authenticator on the admin account so that there is no 2FA bypass.