SSL-VPN access to a local service user
By default, no local service user is granted access to any SSL-VPN endpoint. Fine grained-access control can be granted by explicitly referring to which service user or group of service users is granted access.
The following example shows how to create the alice and bob local service users and grant access for them to the vtunX OpenVPN interface.
Configure the alice user with a password.
Configure the bob user with a password.
Configure an interface for alice.
Configure an interface for bob.
Commit the configuration.
This configuration allows the alice and bob service users to authenticate themselves by using their usernames and passwords when connecting with the SSL-VPN client bundles.
To refuse bob any further access to the vtunX OpenVPN interface, you must delete the service-user reference in the OpenVPN vtunX interface configuration:
vyatta@vyatta# delete interfaces openvpn vtunX auth local user bob vyatta@vyatta# commit
To grant access to the vtunX OpenVPN interface a group of multiple service users SSL-VPN, enter the following commands:
vyatta@vyatta# set resources service-users local group it-dep alice vyatta@vyatta# set resources service-users local group it-dep bob vyatta@vyatta# set interfaces openvpn vtunX auth local group it-dep vyatta@vyatta# commit
The preceding configuration change assigns service users alice and bob to the it-dep group. All users of that group are granted access to the vtunX OpenVPN interface.