How to create a VPN that maps users into VLANs each? – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about How to create a VPN that maps users into VLANs each? was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, vpn, openvpn, ip, vlan.
I want to setup a VPN server that puts each user into a different VLAN.
I’ve got a network with about 200 users in which each user is in a separate VLAN with his own /27-IPv4 network. Which user belongs into which VLAN is determined by an LDAP server which also provides authentication. I’ve got a Freeradius server as well which cloud do authentication. I’ve got a REST-Api for getting the VLAN id for a given username, if that helps. A single DHCP server runs for all users.
I want to create a VPN server that allows every user to login from the internet. The user should then be put into his VLAN and (hopefully without further configuration) get an IP address within his own /27-network from the DHCP server.
My router, VPN, LDAP/Freeradius, and DHCP run each on separate Debian virtual machines.
I’ve tried to solve this with an OpenVPN server but failed so far to map users to VLANs. (afaik I can only configure a single server-side interface)
How can I achieve this?
Bonus question: Would it be different for IPv6?
The users should not see each other, it provides identification and
access control within the network. The VLANs are already in use for
e.g. wlan access.
To answer that need please use a firewall or a firewall appliance that allow isolation for each VPN’s user. Often those firewall will set the VPN user land inside their own VLAN, even if isolated from each other, they will be isolated from all other VLAN too if no allow rule are present.
So if the VPN user need to access only a terminal server, then you create a rule to allow only 3389 port from that VLAN for that VPN’s user.
I think your process will be somewhat complicated and I think this not a standard way of doing this.
Generally VPN use to access from internet and For that you can use firewall or VPN firewall. I am experience with fortigate firewall and with fortigate you can create Ip pools for users. but your requirement is provide Internal VLAN IP to User. However you can Allow users to access specific VLAN via firewall policy. I think it will solve your problem.
