Differences

This shows you the differences between two versions of the page.

--- pfsense:vpn:openvpn:timed_access_for_openvpn [2020/11/30 10:02] – peter
+++ pfsense:vpn:openvpn:timed_access_for_openvpn [2021/02/19 10:41] (current) – [Create Firewall Rules] peter
@@ Line 9: / Line 9: @@
 To allow access of our users only in specific time intervals it is necessary to create a schedule:
-  * Navigate to **Firewall -> Schedules**.
+Navigate to **Firewall -> Schedules**.
-  * Click the **Add** button.
-  * In **Schedule Name** give a name to the schedule.
+Click the **Add** button.
-  * Select the month to apply it to.
-  * Select the days on the calendar.
+In **Schedule Information**:
-  * Select the time range and click on **Add Time**.
-  * Repeat the procedure to add another time / date range to be assigned to this schedule.
+  * Schedule Name:  **OpenVPN_Allowed**.  Give a name to the schedule.
-  * All created ranges will be displayed under **Configured Ranges**.
+  * Description:  **OpenVPN Allowed Access**.  Provide a useful description.
+  * Month:  **Select the month to apply it to**.
+  * Date:  **Select the days on the calendar to apply**.
+  * Time:  ** Select the time range to apply**.
+  * Click **Add Time**.
+{{:pfsense:vpn:openvpn:pfsense_-_firewall_-_schedules_-_openvpn.png?800|}}
+<WRAP info>
+**NOTE:**  Repeat the procedure to add additional date/time ranges to this schedule.
+All created ranges will be displayed under **Configured Ranges**.
+</WRAP>
 ----
@@ Line 22: / Line 35: @@
 ===== Assign Individual IPs to OpenVPN users =====
-At this point, in order to implement the scheduling created in the Firewall Rules, it is necessary to assign a very specific static IP address of the VPN tunnel to the users we want to limit.
+In order to implement the scheduling created in the Firewall Rules, it is necessary to assign a very specific static IP address of the VPN tunnel to the users we want to limit.
-This is necessary because the firewall manages the rules via IP addresses.
+  * This is necessary because the firewall manages the rules via IP addresses.
-To assign a static IP address to the user, we will proceed as follows:
+To assign a static IP address to the user:
   * Navigate to **VPN -> OpenVPN -> Client Specific Overrides**.
-  * Click the **Add** button
+  * Click the **Add** button.
 In the configuration screen that will appear, it will be sufficient to configure only 2 items:
-  * Common Name: **The name of the VPN user**.
+  * Server List:  **Select the OpenVPN Server to associate this with**.
-  * Advanced:  Insert the following string **ifconfig-push [IP_TUNNEL] [NETMASK]**.
+  * Common Name:  **The name of the VPN user**.
-    * Where IP_TUNNEL will be the IP address of the tunnel that we would like to be assigned to the user.
+  * Advanced:  <code>ifconfig-push 10.20.30.69 255.255.255.0</code>
-    * Example:  ifconfig-push 10.20.30.20 255.255.255.0
+<WRAP info>
+**NOTE:**  See:  [[PFSense:VPN:OpenVPN:Assign a fixed IP to a remote client|Assign a fixed IP to a remote client]].
+The format for the **Advanced entry** is:  **ifconfig-push [IP_TUNNEL] [NETMASK]**, where:
+    * **IP_TUNNEL**:  will be the IP address of the tunnel that we would like to be assigned to the user.
+    * **NETMASK**:  The network mask to apply.
 Repeat the procedure for each user to be managed.
+</WRAP>
 ----
@@ Line 46: / Line 69: @@
 Navigate to **Firewall -> Rules**.
-  * Select the **OpenVPN** interface.
+Select the **OpenVPN** interface.
-  * Click **Add** button to create a new rule to be placed at the top.
+Click **Add** button to create a new rule to be placed at the top.
   * Action:  **Pass**.
   * Interface:  **OpenVPN**.
   * Address Family:  **IPv4**.
   * Protocol:  **Any**.
-  * Source:  **Single host or alias** **10.20.30.20**.  This is the IP address belonging to the VPN Tunnel network defined previously and assigned to the user concerned.
+  * Source:  **Single host or alias** **10.20.30.69**.  This is the IP address belonging to the VPN Tunnel network defined previously and assigned to the user concerned.
-  * Destination:  **Single host or alias** **192.168.1.55**.  The IP address of the server to which we want to restrict the user’s connection.
+  * Destination:  **Single host or alias** **192.168.1.123**.  The IP address of the server to which we want to restrict the user’s connection.
   * Advanced Options: In the Schedule, Select the Schedule created previously.
+<WRAP info>
+**NOTE:**  This allows a user who connects to the VPN with the IP address of the Tunnel 10.20.30.69 to access only the server 192.168.1.123 during the time range established in the scheduling.
-In this way we have allowed a user who connects in VPN with the IP address of the Tunnel 10.20.30.20 to access only the server 192.168.2.55 during the time range established in the scheduling.
 Repeat the procedure for each user to whom you want to grant access to the server at a certain time range.
+</WRAP>
-At this point, to prevent the user from accessing other devices on the network, we create a rule that blocks access to everything.  This rule must be placed UNDER the previously created access rules and associated with it.
+----
+To prevent the user from accessing other devices on the network, an additional rule that blocks access to everything should be placed UNDER the previously created access rules and associated with it.
   * Navigate to **Firewall -> Rules**.
@@ Line 71: / Line 97: @@
   * Address Family:  **IPv4**.
   * Protocol:  **Any**.
-  * Source:  **Single host or alias** **10.20.30.20**.  This is the IP address belonging to the VPN Tunnel network defined previously and assigned to the user concerned.
+  * Source:  **Single host or alias** **10.20.30.69**.  This is the IP address belonging to the VPN Tunnel network defined previously and assigned to the user concerned.
   * Destination:  **LAN net**.
 <WRAP info>