Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

SSL-VPN access to a local service user

By default, no local service user is granted access to any SSL-VPN endpoint. Fine grained-access control can be granted by explicitly referring to which service user or group of service users is granted access.

The following example shows how to create the alice and bob local service users and grant access for them to the vtunX OpenVPN interface.

Table 1. Granting the alice and bob service-users access to the vtunx OpenVPN interface

Step

Command

Configure the alice user with a password.

vyatta@vyatta# set resources service-users local user alice auth plaintext-password foo

Configure the bob user with a password.

vyatta@vyatta# set resources service-users local user bob auth plaintext-password bar

Configure an interface for alice.

vyatta@vyatta# set interfaces openvpn vtunX auth local user alice

Configure an interface for bob.

vyatta@vyatta# set interfaces openvpn vtunX auth local user bob 

Commit the configuration.

vyatta@vyatta# commit

This configuration allows the alice and bob service users to authenticate themselves by using their usernames and passwords when connecting with the SSL-VPN client bundles.

To refuse bob any further access to the vtunX OpenVPN interface, you must delete the service-user reference in the OpenVPN vtunX interface configuration:

vyatta@vyatta# delete interfaces openvpn vtunX auth local user bob
vyatta@vyatta# commit
Note: The preceding configuration change does not terminate the existing SSL-VPN session of user bob on vtunX, nor does it interrupt any other existing SSL-VPN client connection.

To grant access to the vtunX OpenVPN interface a group of multiple service users SSL-VPN, enter the following commands:

vyatta@vyatta# set resources service-users local group it-dep alice
vyatta@vyatta# set resources service-users local group it-dep bob
vyatta@vyatta# set interfaces openvpn vtunX auth local group it-dep
vyatta@vyatta# commit

The preceding configuration change assigns service users alice and bob to the it-dep group. All users of that group are granted access to the vtunX OpenVPN interface.

Note: A change to the membership of an individual user has immediate impact after the change is committed. An existing SSL-VPN connection for a service user who is dropped from a group that has been granted access is not terminated. The change just rejects any further authentication attempts to the vtunX OpenVPN service instance.