OpenVPN Support Forum

I would like to allow client 1 access to the service on port eg 1234, and client 2 access to port eg 5678. Ip address is the same.

192.168.0.16:1234 <- access only for clinet 1
192.168.0.16:5678 <- access only for client 2

Is this possible?

Short/Best answer should be:
What are you trying to achieve by doing this?

I know, this is more of a question than an answer so ...

The long overly complex answer is this:

OpenVPN AS is made up of three network services, a web interface to get the OpenVPN configuration file and then the OpenVPN services on both TCP and UDP.

Manipulating the product to require a specific user to go to a specific port to log into the web interface isn't something I can think of a way of doing. Regardless of which port is used to login to the web interface, OpenVPN AS is going to return a configuration script that references the ports it is actually running OpenVPN services rather than your expected per user/port associations. I can't think of a way to change that other than to distribute the configuration files after manual modification.

As to the VPN sessions themselves on TCP/UDP, it could be technically possible to do something like this. You could expose the additional ports to run the VPN services on using iptables. However, the OpenVPN AS product works best if you don't do any manipulation of iptables directly so this would likely be considered an unsupport scenario. Then you could write a post_auth script which is handed the username and "client_ip_addr" in the authcred dictionary. This python script could then run "ss" to determine if the client's IP address has a connection to the expected port for the user. But adding an execution of ss external process into a post_auth script is going to be messy and may introduce problems that make thing unreliable. Hence I don't recommend actually attempting to do this.

Bottom line at this point is the product is not intended to be used this way and you are going to be bending it almost to the point of breaking to try to achieve this. You seem to be trying to achieve additional "security" through obscurity. Ultimately, I don't think any additional security will be gained doing this.

All of this leads back to my original question: what are you trying to achieve?

It may be possible what you are trying to do can be done a different way or from a security stand point is already being achieved.

Nubia wrote: ↑

Thu Jan 27, 2022 6:57 am

I would like to allow client 1 access to the service on port eg 1234, and client 2 access to port eg 5678. Ip address is the same.

192.168.0.16:1234 <- access only for clinet 1
192.168.0.16:5678 <- access only for client 2

Is this possible?

Hi Nubia,

In addition to chilinux's questions, I'd also wonder why you're connecting via a "private" RFC 1918 address?

If these clients are connecting in from outside, going through a NAT router, you could set up firewall rules to manage these access restrictions, and forward the appropriate destination ports to the corresponding ports on the Access Server. Probably not trivial, and definitely not within the scope of OpenVPN support.

Similarly, this might be done with restricted iptables nat/REDIRECT rules on the Access Server. Again not trivial.

Another thing to add: 192.168.0.0/23 networks (including 0.0/24 and 1.0/24 networks) are the most common choices for off-the-shelf consumer router devices. Change to a less used network address if you plan to connect to it via VPNs.

regards, rob0