Home
익명 15:35

OpenVPN (pfSense) multi-client VPN setup with per-user static IP assignment and ...

OpenVPN (pfSense) multi-client VPN setup with per-user static IP assignment and access restriction to specific servers

I am running a pfSense firewall (2.8.1-RELEASE, FreeBSD 15) hosted on a cloud VM. I have configured an OpenVPN server to allow remote users to connect from multiple geographically distributed sites.

Each user group consists of multiple PCs, and they connect using the same VPN credentials. I need to ensure that:

  • Multiple devices can connect simultaneously using the same VPN user account
  • Each user group is restricted to accessing only their assigned server
  • Each user group should ideally have a fixed VPN IP for firewall rules
  • Different user groups should not access each other’s database servers

Current Setup

  • pfSense OpenVPN server (remote access mode)
  • Multiple user groups (each group shares one VPN account across multiple machines)
  • Backend infrastructure consists of several database servers distributed across different subnets
  • OpenVPN tunnel network configured
  • “Allow multiple concurrent connections from same user” is enabled
  • Firewall rules are based on VPN IP addresses

Problem Description

I initially tried to implement per-user static IP assignment using Client Specific Overrides (CSO) in pfSense.

Example configuration:

Assigned static tunnel IP using CSO with /32 mask.
Created firewall aliases and rules based on these assigned IPs.

However, after applying CSO configuration:

VPN connections stopped working for some clients. Some users could not establish VPN tunnels at all, and when CSO was disabled, VPN started working normally again.

Is this correct use of CSO? Is the tunnel network configuration incorrect? Or is there a better way to approach the per user assignment?

What I need help with

  • Correct way to assign static VPN IPs per user group in pfSense OpenVPN
  • Whether CSO is appropriate when multiple devices share the same VPN user
  • Correct tunnel network and subnet configuration for this setup
  • Best practice approach for enforcing firewall rules per user group Whether there is a better alternative (e.g., CCD, RADIUS, or subnet design)

Additional Constraints

  • Each user group must be able to connect multiple devices simultaneously
  • Firewall rules must strictly isolate server access per user group
  • Solution must scale for a large number of user groups (80+), and each group has more than 2 pcs connected at the same time.
  • Setup is hosted in a cloud-based pfSense instance

Top Answer/Comment:

Comment: Are you sure VPN is the best tool for access control in this scenario?

상단 광고의 [X] 버튼을 누르면 내용이 보입니다