Configure OpenVPN to restrict access to users, servers and services

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to only use certain services on your network?  Furthermore, what if you want to use the same OpenVPN server to allow yourself or employees full access to the network while giving your customers restricted access?  I’ve got a solution for you!

My example comes from the need to provide a group of customers with access to our MSSQL Database Server without exposing that server to the internet and potential attacks.  We also have a need for myself and other network administrators to be able to use a VPN to gain full access to this network.  My solution is the following OpenVPN configuration:

Assuming that OpenVPN installation is completed and working with defaults and using PAM authentication on an Ubuntu Server.

CREATE USER ACCOUNTS ON THE SERVER
From a terminal session add the users you will be granting VPN access to.  There is no need to assign groups or permissions, only the username and password are needed.

#sudo useradd username
#sudo passwd username

Easy enough, now let’s log on to the web interface for our OpenVPN Server

CONFIGURE OPENVPN SERVER

  • VPN Settings
    • Dynamic IP Address Network
      • Create a network to be assigned to administrative users.*
      • *Users or Groups marked as Admin will not be assigned a group IP address, instead will use address from pool created on VPN SETTINGS> VPN IP Network
    • Static IP Address Network (Optional) – Leave Blank
    • Group Default IP Address Network (Optional) – Leave Blank
    • Should VPN clients have access to private subnets (non-public networks on the server side)? = No
    • Should client Internet traffic be routed through the VPN? = No
    • Should clients be allowed to access network services on the VPN gateway IP address? = No
    • DNS Settings = Do not alter clients’ DNS server settings
    • Default Domain Suffix (optional) – Leave Blank
  • Advanced VPN Settings
    • Inter-Client Communication
    • Should clients be able to communicate with each other on the VPN IP Network? = No
    • Leave all other settings at defaults unless you need to change them
  • Create Groups in OpenVPN
    Group Permissions Menu

    • Admin
      • Check Admin Box
      • All other settings default
      • *Users or Groups marked as Admin will not be assigned a group IP address, instead will use address from pool created on VPN SETTINGS> VPN IP Network
  • Employees
    • DO NOT check Admin box
    • Subnets assigned to this group
      • 192.168.50.0/24 <- this can be anything you want, just make sure it does not match any of your own networks or subnets from other groups
    • Dynamic subnet ranges for this group
      • 192.168.50.0-192.168.50.255 <- This must be a range within the Subnets assigned to this group.
    • Access Control
      • Use Access Control = Yes
      • Allow Access to Networks and Services <- Set this to your entire network you want employees to be able to access
        • format: 10.100.100.0/24
  • DBServer_Access
    • DO NOT check Admin box
    • Subnets assigned to this group
      • 192.168.51.0/24 <- this can be anything you want, just make sure it does not match any of your own networks or subnets from other groups
    •  Dynamic subnet ranges for this group
      • 192.168.51.0-192.168.51.255 <- This must be a range within the subnets assigned to this group.
    •  Access Control
      • Use Access Control = Yes
      • Allow Access to Networks and Services <- Set this to allow access to servers and services.
        • format: 10.100.100.20/32:tcp/1433 <- this will limit access to only this server and only MSSQL.
  • DENY
    • DO NOT check Admin box
    • Check Deny Access Box
  • Set Default Group Permissions to use for any User not in any Group to DENY

Adding Users

  • Add username to OpenVPN config and assign to group
    • User Permissions Menu
      • Add a new user and assign to a group you created according to the level of access you want to grant.
      • DO NOT check the Admin box for any user that will need access to any network resources.  Admin is reserved for web administration and will not be able to access anything on your network with this config.

After all of this, your database users should only have access to your database servers and your employees should be able to access any services on the network.  My advice is TEST, TEST, TEST and then TEST again!

Enjoy!