Dynamic group assignment to facilitate dynamic firewall rules
Posted: Wed Feb 08, 2017 12:01 am
Hello,
I have group A and group B in openvpn-as. Group A has full access to the LANs.
The value of "access_to.0" and value of "access_to.1" for group B are respectively "+ROUTE:0.0.0.0/0:tcp/3389" and "-ALL"
Users are by default in group B.
I would like to be able to configure openvpn-as to consider a user (user 1) connecting from an authorized device as being in group A.
I would like to be able to configure openvpn-as to consider user 1 connecting from an unauthorized device as being in group B.
I tried configuring openvpn-as to promote user 1 connections from an authorized device to group A with a post-auth script.
However, "GROUP_SELECT=True" breaks autologin connections and "GROUP_SELECT=False" results in no promotion.
With a regular openvpn server, I had used "learn-address" to do dynamic firewall rules for each connection.
Is there a way to do the promotion of user 1 connections from an authorized device to group A while not doing said promotion when user is connecting from an unauthorized device?
I have group A and group B in openvpn-as. Group A has full access to the LANs.
The value of "access_to.0" and value of "access_to.1" for group B are respectively "+ROUTE:0.0.0.0/0:tcp/3389" and "-ALL"
Users are by default in group B.
I would like to be able to configure openvpn-as to consider a user (user 1) connecting from an authorized device as being in group A.
I would like to be able to configure openvpn-as to consider user 1 connecting from an unauthorized device as being in group B.
I tried configuring openvpn-as to promote user 1 connections from an authorized device to group A with a post-auth script.
However, "GROUP_SELECT=True" breaks autologin connections and "GROUP_SELECT=False" results in no promotion.
With a regular openvpn server, I had used "learn-address" to do dynamic firewall rules for each connection.
Is there a way to do the promotion of user 1 connections from an authorized device to group A while not doing said promotion when user is connecting from an unauthorized device?