Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Newbie
    Join Date
    Feb 2017
    Posts
    11

    Question OpenVPN with MFA and Local Directory - firewall entry with username?

    I want to restrict the authenticated users (using local direcotry) on the OpenVPN interface so that they can only access their respective pc using RDP.
    I read this post and it says to add the firewall rule with the authenticated user. However, this only seems to work with the Directory Connector app configured.

    Is there a way to get the local directory users to show in the username option in the rules in the firewall app?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,756

    Default

    MFA is only local directory.

    https://wiki.untangle.com/index.php/OpenVPN#Server

    Add MFA client configuration can be enabled to activate multi-factor authentication using a TOTP app. This feature uses the Local Directory users and requires each user to be configured with multi-factor authentication and paired with a TOTP app.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Feb 2017
    Posts
    11

    Default

    I've got the MFA part working with the Local Directory users - it's the firewall rule per user that won't work with Local Directory users.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,756

    Default

    Quote Originally Posted by clilush View Post
    it's the firewall rule per user that won't work with Local Directory users.
    Please post a screen capture of the rule.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    Quote Originally Posted by clilush View Post
    I've got the MFA part working with the Local Directory users - it's the firewall rule per user that won't work with Local Directory users.
    Don't use the directory user's name, use the openVPN client's name. The Firewall module won't use directory names without the directory connector module as far as I know.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Feb 2017
    Posts
    11

    Default

    I have the Directory Connector, but that only works with external sources (ie: Active Directory) - which unfortunately doesn't allow for use of the MFA option in OpenVPN.
    As for the openVPN client name in the firewall rules - I don't see that option. Could you elaborate on how to do this?

  7. #7
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    134

    Default

    Quote Originally Posted by jcoffin View Post
    Please post a screen capture of the rule.
    Could be the rule itself. Could be rule ordering, too: only the first matched rule triggers. If there's something above this rule that'll catch that traffic, the higher-placed rule is taking precedence.

    Quote Originally Posted by clilush View Post
    As for the openVPN client name in the firewall rules - I don't see that option. Could you elaborate on how to do this?
    It's the value in the 'Client Name' tab in OpenVPN > Server > Remote Clients.

    ovpn client name.png

    In the Firewall app itself, just use the condition Username.

    firewall rule.png
    Last edited by gravenscroft; 09-07-2022 at 11:20 AM.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  8. #8
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,756

    Default

    The firewall rule condition is username. In NGFW, username can be from multiple sources like AD or OpenVPN client name.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Newbie
    Join Date
    Feb 2017
    Posts
    11

    Default

    Quote Originally Posted by jcoffin View Post
    Please post a screen capture of the rule.
    Firewall Rules.JPG

    Sorry for the delay - kept meaning to post it but the forum site wasn't working when I tried.
    As you can see from the attached image, I've redacted actual usernames and computer names.

    Rule ID 6 - VPN connections are restricted to RDP and DNS on the internal network.
    Rule ID 7 - USER1 (created using the Local Directory app) is allowed access to their local PC and nothing else.
    Rule ID 8 - USER2 (created using the Local Directory app) is allowed access to their local PC and nothing else.
    Rule ID 9 - Block everything else (catch all)

    Using this setup I can connect via the VPN as a local directory user. DNS requests are successful, but I can RDP to everything internally. As per the Rules 7 and 8, the user *should* be restricted to just one IP address.

  10. #10
    Untangler
    Join Date
    Jan 2021
    Posts
    92

    Default

    Quote Originally Posted by clilush View Post
    Firewall Rules.JPG

    Sorry for the delay - kept meaning to post it but the forum site wasn't working when I tried.
    As you can see from the attached image, I've redacted actual usernames and computer names.

    Rule ID 6 - VPN connections are restricted to RDP and DNS on the internal network.
    Rule ID 7 - USER1 (created using the Local Directory app) is allowed access to their local PC and nothing else.
    Rule ID 8 - USER2 (created using the Local Directory app) is allowed access to their local PC and nothing else.
    Rule ID 9 - Block everything else (catch all)

    Using this setup I can connect via the VPN as a local directory user. DNS requests are successful, but I can RDP to everything internally. As per the Rules 7 and 8, the user *should* be restricted to just one IP address.
    Those rules look good except it appears rule 6 is trumping rules, 7, 8, and 9. If you disable the first rule, what happens? Maybe remove the RDP port from rule one so only DNS is allowed. You may not even need that first rule since you're probably "Pushing DNS" in your Open VPN group.
    Last edited by MP715; 09-12-2022 at 09:47 AM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2