How can I setup OpenVPN in conjunction with my firewall in such a way that my VPN users' traffic is DROPed by default to all network resources, and only ACCEPTed through the firewall if that user requires access to the specific resource?
I have an OpenVPN server running on an OpnSense firewall in our network. My understanding is that limiting the routes pushed to the VPN client by the VPN server (eg using route in server.conf) is not sufficient to limit access to the network as-needed, because the user can just add routes on their laptop after they connect.
To actually limit access to the network, we need to configure the firewall to ACCEPT packets going from a given VPN user to a given resource only as-needed, and default to DROP for everything else.
There's a few complexities with this:
A firewall doesn't have a notion of what a "VPN user" is. As far as I know, it only can match based on source IP Address
In fact, a "VPN user" could have multiple IP Addresses because we want our users to be able to connect to the VPN simultaneously with the same account from many devices (eg laptop, desktop, phone, tablet).
Let's say we grow to 1,000+ VPN users, how do we manage all of this in a sane way?
What's the best way to limit access to our private network from our OpenVPN clients on an as-needed basis (following the principal of least privilege) using OpnSense in a way that scales?
