0

I just used the instructions in this tutorial to install OpenVPN on a CentOS 7 server. I am able to ssh and https into the remote CentOS 7 server through the VPN from a client machine. However, it seems like the user has complete access to all aspects of the remote server. This is good for an administrator account, but this level of access would be horrible if applied to normal user accounts.

I would like to create a group definition in OpenVPN that is only allowed to interact with web applications running on the server using https. All other access to the server by members of this new user group would be blocked. How can I accomplish this?

CodeMed
  • 315
  • 1
  • 8
  • 21

1 Answers1

0

  1. Create a few OpenVPN instances on the server, assigning them static interface names, then create interface-based firewall (iptables) rules. The instances may be listening on different ports or IPs. Every instance should have its own SSL CA to sign access certificates.

  2. If you want to avoid multiple instances, create static CN -> IP mappings with ccd or (less secure) ipp rules (consult man openvpn for details). Put admins subnet in the end of VPN IP range, so non-listed users will get unprivileged IPs. Then again iptables to allow/deny access from IPs to services.

  3. There are other options like PAM auth or even LDAP in addition to TLS security. I can elaborate more on this if you really need it, but it makes things more complicated without much added flexibility.

(all above assuming you're using full TLS auth and not static key only)

sam_pan_mariusz
  • 2,133
  • 1
  • 14
  • 15
  • @CodeMed - yes, OpenVPN is to provide packets transmition between nodes, it has little to do with filtering. You should use a proper firewall software. Multiple OpenVPN instances = multiple virtual interfaces - this makes multi-instance solution the easiest to integrate with a firewall. I know nothing about `firewalld` so I can't help with it. – sam_pan_mariusz Feb 18 '15 at 21:30