Group access control and Internet Access

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
mikev123456789
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 20, 2022 8:02 pm

Group access control and Internet Access

Post by mikev123456789 » Wed Jul 20, 2022 8:08 pm

Greetings,

I'm in the process of setting up group LDAP integration in order to implement access control and some groups.

As it stands when connected to the VPN all internet traffic is routed through the VPN. We have several groups setup with the intention of limiting access to certain resources behind the OpenVPN access server.

One of the groups we configured to allow access to specific IP's and services behind the VPN(internal network) but we still want the user to have full access to the internet. Its not clear if this is possible from what I've seen in the documentation or if to which traffic access control is applied too.


Regards,

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Group access control and Internet Access

Post by openvpn_inc » Wed Jul 20, 2022 9:56 pm

Hello,

You can define allowed subnet to be accessed trhough global access control, per group access control or per user access control. Taking onto account that those rules are additive we have to be very specific on the way we allow subnets.

If we allow a subnet in the globall access rule, it will apply for all users in the AS, if we do it per group it will apply for all users assigned to that group and if we do it pr user will apply just for that user. Now if we have an access rule globally and then we configure a rule for a group, since the rules are additive it means that for the users in that group will apply the global rule plus the rule configured per user.

You can define rules to access your internal network and have your internet traffic being routed through the AS.

Take a look to the links below for further details.

https://openvpn.net/access-server-manua ... rmissions/

https://openvpn.net/access-server-manua ... rmissions/

https://openvpn.net/access-server-manua ... -settings/

Regards,

Marcelino
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

mikev123456789
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 20, 2022 8:02 pm

Re: Group access control and Internet Access

Post by mikev123456789 » Thu Jul 21, 2022 1:04 am

Hello Marcelino,

That doesn't really answer my question. Let me provide a clearer example. Internal network behind the AS is 192.168.0.0/24. When a client connects to the AS all of their internet traffic is forced over the VPN and out to the internet or go to the internal network.

Now there is a group where I've add a single allowed access control rule:

192.168.0.23:udp/53

now my understanding is that the group will be able to send traffic to only 192.168.0.23 on udp 53 and all other traffic is blocked. What is not clear is if all internet traffic will be blocked as well since I only have the single allowed rule. If thats the case then there really isn't a good mechanism to allow internet traffic (0.0.0.0/0) while block access to the rest of the 192.168.0.0/24 subnet.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Group access control and Internet Access

Post by openvpn_inc » Thu Jul 21, 2022 12:02 pm

Hello mikv123456789,

Access Server can set rules on what the VPN client is instructed and allowed to send through the VPN tunnel.

If you don't give access on the global level under VPN Settings (allow access to private subnets > no) and you set 192.168.0.23:udp/53 then the result will be that users part of this group will use Internet access via their normal network connection that they already have even without the VPN on. And when the VPN is on, they will be instructed to send traffic for 192.168.0.23 through the VPN tunnel, and only port UDP 53 will then be allowed to pass through. Internet traffic will stay on the VPN client's normal network connection and will not involve the VPN tunnel in any way.

Can you explain in more detail what traffic path you want the client's Internet traffic to go through, or where it should be blocked? On client side or VPN server?

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply