[eduVPN-deploy] Fixed IP - ccd
François Kooman
fkooman at tuxed.net
Tue Jul 26 11:56:52 CEST 2022
On 25.07.22 15:40, Frank Weis wrote:
> Hi François,
Hi Frank!
> Reading your explanations, I think fixed IPs is probably not the best
> idea, so we are back in a scenario where something needs to happen when
> the tuple (username, clientIP) is known. Either automatically (the nasty
> way) by having eduVPN call a custom connect/disconnect script, or, by
> having trigger something like we do with 'our own' users. We would very
> much prefer to avoid the latter, as forcing the user to perform two
> different steps is a lot harder to communicate and support.
So, it seems you are set on modifying firewall rules *per user*, i.e.
have dynamic firewall changes on user connect / disconnect. I still
don't think this is a good idea, and having broader user groups with the
same access would be much better, simpler and more reliable. But yeah,
sometimes you want what you want ;-)
We do have something in the works that could be repurposed for your
case. This assumes that you already have a service, e.g. a HTTP service
that can be called (asynchronously) with User ID and VPN IPs to trigger
firewall changes.
https://todo.sr.ht/~eduvpn/server/82
So as soon as a VPN client calls the API on "/connect" (and WireGuard is
used) a callback could be triggered and call your HTTP service that then
in turn modifies the firewall. On the "/disconnect" API call, those
rules would be undone.
Do you have such a service? I guess you do for the "our own" users
scenario. This could potentially be used.
I'd like to avoid making our VPN service also a firewall management
system (as we prefer to service bulk usage scenarios). We *could* do
something like this, but that would be a separate project that is for
example based on firewalld and called through dbus or something.
What are your thoughts on this?
Regards,
François
More information about the eduVPN-deploy
mailing list