Skip to content
Configuring VLANs with Viscosity to segment VPN traffic
Got a problem with Viscosity or need help? Ask here!
Hello,
I'm looking to configure Viscosity to handle VPN connections while using VLANs to segment traffic. My goal is to allow different groups of users (e.g. development and support teams) to have restricted and isolated access to certain resources over the VPN.
I've already configured VLANs on a Cisco switch, but I'm not sure how to integrate this configuration into Viscosity. Is there any way to define rules or scripts to associate OpenVPN configurations with specific VLANs?
Any help or configuration examples would be greatly appreciated!
Thanks in advance.
I'm looking to configure Viscosity to handle VPN connections while using VLANs to segment traffic. My goal is to allow different groups of users (e.g. development and support teams) to have restricted and isolated access to certain resources over the VPN.
I've already configured VLANs on a Cisco switch, but I'm not sure how to integrate this configuration into Viscosity. Is there any way to define rules or scripts to associate OpenVPN configurations with specific VLANs?
Any help or configuration examples would be greatly appreciated!
Thanks in advance.
Hi gabin8207,
This is something that you'll need to handle on the OpenVPN server - it isn't something that you need to configure client side in Viscosity.
On the server you have a few options:
1. A simple approach is to have multiple OpenVPN server instances (for example, running on different port numbers), each routed/bridged to the desired VLAN interface. Your authentication script/plugin for each server should only allow the users with access to that particular VLAN to connect.
2. A more advanced approach is to have a single OpenVPN server instance, and then make use of the "client-config-dir" command to specify custom commands for different users so you can specify the correct VLAN ID for users (using the "vlan-pvid" command). The server should also be configured with the appropriate "vlan-tagging" and "vlan-accept" commands. You can find more information about how all this works in the OpenVPN 2.6 Reference Manual. A downside to this approach is that it's for TAP/bridged setups (not TUN/routed).
3. A highly advanced approach is to have a single OpenVPN server instance and then have dynamic routing and firewall policies on the server. To do this, you'd need a "client-connect" script to assign an IP address for the correct VLAN and add appropriate routing/firewall rules for that user/IP to allow access to the correct VLAN depending on their account, and then remove/adjust those rules when the user disconnects in a "client-disconnect" script. See the OpenVPN 2.6 Reference Manual for more information on how to use these commands.
If you're not running your own OpenVPN server setup, but are instead using a router/firewall/server product with OpenVPN server support (such as pfSense or OPNsense), then you'll probably want to reach out to the appropriate support staff for how to configure the device for OpenVPN VLAN support.
Cheers,
James
This is something that you'll need to handle on the OpenVPN server - it isn't something that you need to configure client side in Viscosity.
On the server you have a few options:
1. A simple approach is to have multiple OpenVPN server instances (for example, running on different port numbers), each routed/bridged to the desired VLAN interface. Your authentication script/plugin for each server should only allow the users with access to that particular VLAN to connect.
2. A more advanced approach is to have a single OpenVPN server instance, and then make use of the "client-config-dir" command to specify custom commands for different users so you can specify the correct VLAN ID for users (using the "vlan-pvid" command). The server should also be configured with the appropriate "vlan-tagging" and "vlan-accept" commands. You can find more information about how all this works in the OpenVPN 2.6 Reference Manual. A downside to this approach is that it's for TAP/bridged setups (not TUN/routed).
3. A highly advanced approach is to have a single OpenVPN server instance and then have dynamic routing and firewall policies on the server. To do this, you'd need a "client-connect" script to assign an IP address for the correct VLAN and add appropriate routing/firewall rules for that user/IP to allow access to the correct VLAN depending on their account, and then remove/adjust those rules when the user disconnects in a "client-disconnect" script. See the OpenVPN 2.6 Reference Manual for more information on how to use these commands.
If you're not running your own OpenVPN server setup, but are instead using a router/firewall/server product with OpenVPN server support (such as pfSense or OPNsense), then you'll probably want to reach out to the appropriate support staff for how to configure the device for OpenVPN VLAN support.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
2 posts
Page 1 of 1