Skip to main content

How to create a VPN that maps users into VLANs each? [Resolved]

I want to setup a VPN server that puts each user into a different VLAN.

I've got a network with about 200 users in which each user is in a separate VLAN with his own /27-IPv4 network. Which user belongs into which VLAN is determined by an LDAP server which also provides authentication. I've got a Freeradius server as well which cloud do authentication. I've got a REST-Api for getting the VLAN id for a given username, if that helps. A single DHCP server runs for all users.

I want to create a VPN server that allows every user to login from the internet. The user should then be put into his VLAN and (hopefully without further configuration) get an IP address within his own /27-network from the DHCP server.

My router, VPN, LDAP/Freeradius, and DHCP run each on separate Debian virtual machines.

I've tried to solve this with an OpenVPN server but failed so far to map users to VLANs. (afaik I can only configure a single server-side interface)

How can I achieve this?

Bonus question: Would it be different for IPv6?

Question Credit: betanummeric
Question Reference
Asked June 14, 2019
Posted Under: Network
2 Answers

The users should not see each other, it provides identification and access control within the network. The VLANs are already in use for e.g. wlan access.

To answer that need please use a firewall or a firewall appliance that allow isolation for each VPN's user. Often those firewall will set the VPN user land inside their own VLAN, even if isolated from each other, they will be isolated from all other VLAN too if no allow rule are present.

So if the VPN user need to access only a terminal server, then you create a rule to allow only 3389 port from that VLAN for that VPN's user.

credit: yagmoth555
Answered June 14, 2019

I think your process will be somewhat complicated and I think this not a standard way of doing this.

Generally VPN use to access from internet and For that you can use firewall or VPN firewall. I am experience with fortigate firewall and with fortigate you can create Ip pools for users. but your requirement is provide Internal VLAN IP to User. However you can Allow users to access specific VLAN via firewall policy. I think it will solve your problem.

credit: serverAdmin123
Answered June 14, 2019
Your Answer