Configuring VLANs with Viscosity to segment VPN traffic

Got a problem with Viscosity or need help? Ask here!

gabin8207

Posts: 1
Joined: Sun Nov 10, 2024 8:31 pm

Post by gabin8207 » Thu Nov 28, 2024 11:57 pm
Hello,

I'm looking to configure Viscosity to handle VPN connections while using VLANs to segment traffic. My goal is to allow different groups of users (e.g. development and support teams) to have restricted and isolated access to certain resources over the VPN.

I've already configured VLANs on a Cisco switch, but I'm not sure how to integrate this configuration into Viscosity. Is there any way to define rules or scripts to associate OpenVPN configurations with specific VLANs?

Any help or configuration examples would be greatly appreciated!

Thanks in advance.

James

User avatar
Posts: 2372
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Nov 29, 2024 3:06 pm
Hi gabin8207,

This is something that you'll need to handle on the OpenVPN server - it isn't something that you need to configure client side in Viscosity.

On the server you have a few options:

1. A simple approach is to have multiple OpenVPN server instances (for example, running on different port numbers), each routed/bridged to the desired VLAN interface. Your authentication script/plugin for each server should only allow the users with access to that particular VLAN to connect.

2. A more advanced approach is to have a single OpenVPN server instance, and then make use of the "client-config-dir" command to specify custom commands for different users so you can specify the correct VLAN ID for users (using the "vlan-pvid" command). The server should also be configured with the appropriate "vlan-tagging" and "vlan-accept" commands. You can find more information about how all this works in the OpenVPN 2.6 Reference Manual. A downside to this approach is that it's for TAP/bridged setups (not TUN/routed).

3. A highly advanced approach is to have a single OpenVPN server instance and then have dynamic routing and firewall policies on the server. To do this, you'd need a "client-connect" script to assign an IP address for the correct VLAN and add appropriate routing/firewall rules for that user/IP to allow access to the correct VLAN depending on their account, and then remove/adjust those rules when the user disconnects in a "client-disconnect" script. See the OpenVPN 2.6 Reference Manual for more information on how to use these commands.

If you're not running your own OpenVPN server setup, but are instead using a router/firewall/server product with OpenVPN server support (such as pfSense or OPNsense), then you'll probably want to reach out to the appropriate support staff for how to configure the device for OpenVPN VLAN support.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
2 posts Page 1 of 1