From 872bd4598aca853a081289e753f387313eefb523 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 1 Mar 2023 18:16:35 +0100 Subject: [PATCH] Firewall/Aliases - Add "OpenVPN group" type, closes https://github.com/opnsense/core/issues/6312 --- source/manual/aliases.rst | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/source/manual/aliases.rst b/source/manual/aliases.rst index 91af8e2..5550ca2 100644 --- a/source/manual/aliases.rst +++ b/source/manual/aliases.rst @@ -59,6 +59,8 @@ OPNsense offers the following alias types: | BGP ASN | Maps autonomous system (AS) numbers to networks | | | where they are responsible for. | +------------------+------------------------------------------------------+ +| OpenVPN group | Map user groups to logged in OpenVPN users | ++------------------+------------------------------------------------------+ | Internal | Internal aliases which are managed by the product | | (automatic) | | +------------------+------------------------------------------------------+ @@ -322,6 +324,24 @@ alias and add or remove entries immediately. Since external alias types won't be touched by OPNsense, you can use :code:`pfctl` directly in scripts to manage its contents. (e.g. :code:`pfctl -t MyAlias -T add 10.0.0.3` to add **10.0.0.3** to **MyAlias**) + +.................................... +OpenVPN group +.................................... + +This alias type offers the possibility to build firewall policies for logged in OpenVPN users by the group they belong to +as configured in :menuselection:`System --> Access --> Groups`. + +The current users that are logged into OpenVPN can be inspected via :menuselection:`VPN --> OpenVPN --> Connection Status`, the alias +just follows this information and flushes the attached addresses to the item in question. + +For example, when a user named **fred** which is a member of group **remote_users** logs into OpenVPN and received a tunnel address +of :code:`10.10.10.2`, the alias containing "remote_users" would include this address as well. + +.. Tip:: + + When using LDAP (Active directory), you can synchronise group membership to avoid double administration in OPNsense. + .................................... Internal (automatic) ....................................