Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Firewall/Aliases - Add "OpenVPN group" type, closes https://github.com/opnsense/core/issues/6312

Browse Source
pull/458/head
Ad Schellevis 1 year ago
parent 3877d1748f
commit 872bd4598a
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File

20
source/manual/aliases.rst
Unescape Escape View File

@ -59,6 +59,8 @@ OPNsense offers the following alias types:
| BGP ASN | Maps autonomous system (AS) numbers to networks |
| | where they are responsible for. |
+------------------+------------------------------------------------------+
| OpenVPN group | Map user groups to logged in OpenVPN users |
+------------------+------------------------------------------------------+
| Internal | Internal aliases which are managed by the product |
| (automatic) | |
+------------------+------------------------------------------------------+
@ -322,6 +324,24 @@ alias and add or remove entries immediately.
Since external alias types won't be touched by OPNsense, you can use :code:`pfctl` directly in scripts to manage
its contents. (e.g. :code:`pfctl -t MyAlias -T add 10.0.0.3` to add **10.0.0.3** to **MyAlias**)
....................................
OpenVPN group
....................................
This alias type offers the possibility to build firewall policies for logged in OpenVPN users by the group they belong to
as configured in :menuselection:`System --> Access --> Groups`.
The current users that are logged into OpenVPN can be inspected via :menuselection:`VPN --> OpenVPN --> Connection Status`, the alias
just follows this information and flushes the attached addresses to the item in question.
For example, when a user named **fred** which is a member of group **remote_users** logs into OpenVPN and received a tunnel address
of :code:`10.10.10.2`, the alias containing "remote_users" would include this address as well.
.. Tip::
When using LDAP (Active directory), you can synchronise group membership to avoid double administration in OPNsense.
....................................
Internal (automatic)
....................................

Write Preview
Loading…
Cancel
Save