Announcement

**jcoffin** · 09-06-2022, 05:26 PM

MFA is only local directory.

OpenVPN - Edge Threat Management Wiki - Arista

https://wiki.untangle.com/index.php/OpenVPN#Server

Add MFA client configuration can be enabled to activate multi-factor authentication using a TOTP app. This feature uses the Local Directory users and requires each user to be configured with multi-factor authentication and paired with a TOTP app.

**clilush** · 09-06-2022, 05:35 PM

I've got the MFA part working with the Local Directory users - it's the firewall rule per user that won't work with Local Directory users.

**jcoffin** · 09-06-2022, 08:00 PM

Originally posted by clilush View Post

it's the firewall rule per user that won't work with Local Directory users.

Please post a screen capture of the rule.

**sky-knight** · 09-07-2022, 07:09 AM

Originally posted by clilush View Post

I've got the MFA part working with the Local Directory users - it's the firewall rule per user that won't work with Local Directory users.

Don't use the directory user's name, use the openVPN client's name. The Firewall module won't use directory names without the directory connector module as far as I know.

**clilush** · 09-07-2022, 09:52 AM

I have the Directory Connector, but that only works with external sources (ie: Active Directory) - which unfortunately doesn't allow for use of the MFA option in OpenVPN.
As for the openVPN client name in the firewall rules - I don't see that option. Could you elaborate on how to do this?

**gravenscroft** · 09-07-2022, 11:14 AM

Originally posted by jcoffin View Post

Please post a screen capture of the rule.

Could be the rule itself. Could be rule ordering, too: only the first matched rule triggers. If there's something above this rule that'll catch that traffic, the higher-placed rule is taking precedence.

Originally posted by clilush View Post

As for the openVPN client name in the firewall rules - I don't see that option. Could you elaborate on how to do this?

It's the value in the 'Client Name' tab in OpenVPN > Server > Remote Clients.

In the Firewall app itself, just use the condition Username.

**jcoffin** · 09-07-2022, 11:40 AM

The firewall rule condition is username. In NGFW, username can be from multiple sources like AD or OpenVPN client name.

**clilush** · 09-12-2022, 09:14 AM

Originally posted by jcoffin View Post

Please post a screen capture of the rule.

Sorry for the delay - kept meaning to post it but the forum site wasn't working when I tried.
As you can see from the attached image, I've redacted actual usernames and computer names.

Rule ID 6 - VPN connections are restricted to RDP and DNS on the internal network.
Rule ID 7 - USER1 (created using the Local Directory app) is allowed access to their local PC and nothing else.
Rule ID 8 - USER2 (created using the Local Directory app) is allowed access to their local PC and nothing else.
Rule ID 9 - Block everything else (catch all)

Using this setup I can connect via the VPN as a local directory user. DNS requests are successful, but I can RDP to everything internally. As per the Rules 7 and 8, the user *should* be restricted to just one IP address.

**MP715** · 09-12-2022, 09:43 AM

Originally posted by clilush View Post

[ATTACH=CONFIG]11770[/ATTACH]

Sorry for the delay - kept meaning to post it but the forum site wasn't working when I tried.
As you can see from the attached image, I've redacted actual usernames and computer names.

Rule ID 6 - VPN connections are restricted to RDP and DNS on the internal network.
Rule ID 7 - USER1 (created using the Local Directory app) is allowed access to their local PC and nothing else.
Rule ID 8 - USER2 (created using the Local Directory app) is allowed access to their local PC and nothing else.
Rule ID 9 - Block everything else (catch all)

Using this setup I can connect via the VPN as a local directory user. DNS requests are successful, but I can RDP to everything internally. As per the Rules 7 and 8, the user *should* be restricted to just one IP address.

Those rules look good except it appears rule 6 is trumping rules, 7, 8, and 9. If you disable the first rule, what happens? Maybe remove the RDP port from rule one so only DNS is allowed. You may not even need that first rule since you're probably "Pushing DNS" in your Open VPN group.

**gravenscroft** · 09-13-2022, 06:02 AM

Originally posted by MP715 View Post

Those rules look good except it appears rule 6 is trumping rules, 7, 8, and 9.

I wouldn't say trumping, in this case. A rule only triggers if all its conditions are met, so rule 6 only takes precedence over rules 7 or 8 in a very specific circumstance: DNS lookups or RDP connections from OpenVPN to devices on the internal interface. If the session in question doesn't meet all four criteria, the rule is skipped.

OP: What happened when you changed the value of the Username condition from the Local Directory username to the OpenVPN username?

**clilush** · 09-13-2022, 07:11 AM

Originally posted by gravenscroft View Post

I wouldn't say trumping, in this case. A rule only triggers if all its conditions are met, so rule 6 only takes precedence over rules 7 or 8 in a very specific circumstance: DNS lookups or RDP connections from OpenVPN to devices on the internal interface. If the session in question doesn't meet all four criteria, the rule is skipped.

OP: What happened when you changed the value of the Username condition from the Local Directory username to the OpenVPN username?

Yup. That was essentially the issue. I was mis-reading every post/document and kept trying to put a literal username in that box which in this case I was focused on the Local Directory usernames that I had created.

The end result was:
1) Create a "block all" rule using Source Interface=OpenVPN, Destination Interface=Internal and keep it at the bottom.
2) Above the "block all", I created VERY EXPLICIT allow rules per user as such:
"Source Interface=OpenVPN, Destination Interface=Internal, Username=<name of vpn client>, Destination address=<ip address of workstation>, Destination port=3389" --> Pass, Flag

It now works flawlessly. I'd say my biggest hurdle was getting over the misconception that the "Username" condition in the firewall rules was literally a user. Also, the "Pass" conditions needed to be more explicit (ie: included the port number).

**jcoffin** · 09-13-2022, 07:12 AM

The rules are matched in order top to bottom. Rules work on first rule match, the rule matching exits.

Announcement

OpenVPN with MFA and Local Directory - firewall entry with username?

OpenVPN with MFA and Local Directory - firewall entry with username?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment