0

I want to setup a VPN server that puts each user into a different VLAN.

I've got a network with about 200 users in which each user is in a separate VLAN with his own /27-IPv4 network. Which user belongs into which VLAN is determined by an LDAP server which also provides authentication. I've got a Freeradius server as well which cloud do authentication. I've got a REST-Api for getting the VLAN id for a given username, if that helps. A single DHCP server runs for all users.

I want to create a VPN server that allows every user to login from the internet. The user should then be put into his VLAN and (hopefully without further configuration) get an IP address within his own /27-network from the DHCP server.

My router, VPN, LDAP/Freeradius, and DHCP run each on separate Debian virtual machines.

I've tried to solve this with an OpenVPN server but failed so far to map users to VLANs. (afaik I can only configure a single server-side interface)

How can I achieve this?

Bonus question: Would it be different for IPv6?

betanummeric
  • 43
  • 1
  • 5
  • What is the logic on putting them each into a different VLAN ? – Overmind Jun 13 '19 at 12:33
  • The users should not see each other, it provides identification and access control within the network. The VLANs are already in use for e.g. wlan access. – betanummeric Jun 13 '19 at 12:39
  • You can do that quite easy with access lists. – Overmind Jun 13 '19 at 12:45
  • 2
    In this case you shouldn't use the vlan term. Better use the isolation group, isolated address space, zone. Use the firewall to achieve it. – Anton Danilov Jun 13 '19 at 12:46
  • Could I incorporate access lists/firewalling with my existing vlan setup? My network relies to a big part on the separation by vlans. (This could be topic for another question...) – betanummeric Jun 13 '19 at 12:57

2 Answers2

0

I think your process will be somewhat complicated and I think this not a standard way of doing this.

Generally VPN use to access from internet and For that you can use firewall or VPN firewall. I am experience with fortigate firewall and with fortigate you can create Ip pools for users. but your requirement is provide Internal VLAN IP to User. However you can Allow users to access specific VLAN via firewall policy. I think it will solve your problem.

serverAdmin123
  • 230
  • 3
  • 18
0

The users should not see each other, it provides identification and access control within the network. The VLANs are already in use for e.g. wlan access.

To answer that need please use a firewall or a firewall appliance that allow isolation for each VPN's user. Often those firewall will set the VPN user land inside their own VLAN, even if isolated from each other, they will be isolated from all other VLAN too if no allow rule are present.

So if the VPN user need to access only a terminal server, then you create a rule to allow only 3389 port from that VLAN for that VPN's user.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • So should I create a IP-network for VPN clients and install a firewall which then controls access to the rest of the network, so far ignoring the user-vlans? I'd like to make the VPN-client part of the IP-Network of the user (which is in his vlan). Can I assign the VPN client an IP of the user-Network or must I do NAT or something? – betanummeric Jun 13 '19 at 13:21
  • @betanummeric No need to create that IP-network usually, as that IP-network reside inside the router usually, and no that the VPN software do access rule based of the client name, but the VPN DHCP server is the same for all. The firewall usually do a DENY all to all your internal VLAN/Zones (Like such; VPN<->LAN/VLAN | DENY), except for what you would allow, in the VLAN you want for each. – yagmoth555 Jun 13 '19 at 13:42
  • @betanummeric In your case, as it's an advanced setup, I would probably suggest a radius server, and with a group membership that would let firewall add the correct access-rule for the user to access is own VLAN. (and if a user can access two or more VLAN, the firewall will adapt correctly the rule) – yagmoth555 Jun 13 '19 at 13:49
  • @betanummeric see the sophos utm if you want an applicance that do what I would suggest, see a example there; https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/54542/is-it-possible-to-combine-radius-authentication-and-ad-groups-ssl-vpn – yagmoth555 Jun 13 '19 at 13:55
  • I think you can implement it with openvpn, freeradius and nftables. – Anton Danilov Jun 13 '19 at 14:14
  • Thanks. I will use a new IP-Network for VPN-clients and setup a firewall to allow access to the user network. – betanummeric Jun 13 '19 at 20:19