Open VPN traffic Differentiation

[skywalker_007]

Hello I have a request from a customer
They are a Telco and have APN

What they want is to use Open VPN to connect the clients to a specific application .
But they want traffic separation

Open VPN Client A with IP address A ( IP received from APN) >>>> Connection to Open VPN Server >>>>> Received IP from Pool X from Open VPN

Open VPN Client B with IP address B ( IP received from APN) >>>> Connection to Open VPN Server >>>>> Received IP from Pool Y from Open VPN

Client A with IP from Pool X should not see client B

Client B with IP from Pool Y should not see client A

Can this be achieved through Open VPN ?

Also can we put a Source restriction that only A and B connect to Open VPN Server and nobody else ?

[openvpn_inc]

Hello,

Yes, this is standard functionality in OpenVPN Access Server. You can create groups, and groups can have different IP subnets for VPN clients, and these by default are separate from each other.

The source restriction can be implemented using either a firewall (whitelist) or using a custom post_auth script. As an example the hardware address checking script can be used as a basis and could instead be rewritten to read 'real' IP from A or B and compare that to a stored value in the properties for the user for A or B.

Kind regards,
Johan

[skywalker_007]

Hello , Thanks .
When you say groups , you mean user group ? where username comes from LDAP or some other user directory ?

Can you provide any hint where i can find hardware address checking script ?

[openvpn_inc]

Hello,

In the Access Server Admin UI there is 'group permissions'. You can create groups there. Groups can have subnets assigned to them. Users that are assigned to the group can get their IP addresses from that group subnet. Groups are isolated from each other by default.

Example:

User Management > Group Permissions.
Where it says 'New Group' enter a name like "Group 1" and click the pencil-on-paper icon for more settings.
In "Subnets assigned to this group (optional):" enter something like 192.168.70.0/24
In Dynamic subnet ranges for this group (optional):" enter something like 192.168.70.2-192.168.70.253
Click save settings.

User Management > User Permissions.
For a particular user, set the group to "Group 1".
Click save settings.
Click update running servers.

Now connect with that particular user. It should get an IP like 192.168.70.something.

The hardware address checking script is here:
https://openvpn.net/vpn-server-resource ... -checking/

This script checks MAC/UUID information sent by the VPN client to lock it down so that particular user can only connect from a device with that MAC/UUID. Your use-case is slightly different. You want to instead verify the public IP address of the VPN client. That requires slight changes to this script. Documentation for post-auth scripting including what variable contains the public IP address is here:
https://openvpn.net/vpn-server-resource ... -examples/

I should note that while we provide example post_auth scripts, any custom coding is left up to whoever is writing that custom code. So basically in developing this particular check, you are on your own. But anyone with even a small grasp on programming should be able to use the information provided to adjust the script to do an IP check instead of MAC/UUID check.

Good luck,
Johan