I want to setup a VPN server that puts each user into a different VLAN.
I've got a network with about 200 users in which each user is in a separate VLAN with his own /27-IPv4 network. Which user belongs into which VLAN is determined by an LDAP server which also provides authentication. I've got a Freeradius server as well which cloud do authentication. I've got a REST-Api for getting the VLAN id for a given username, if that helps. A single DHCP server runs for all users.
I want to create a VPN server that allows every user to login from the internet. The user should then be put into his VLAN and (hopefully without further configuration) get an IP address within his own /27-network from the DHCP server.
My router, VPN, LDAP/Freeradius, and DHCP run each on separate Debian virtual machines.
I've tried to solve this with an OpenVPN server but failed so far to map users to VLANs. (afaik I can only configure a single server-side interface)
How can I achieve this?
Bonus question: Would it be different for IPv6?
Best Answer
To answer that need please use a firewall or a firewall appliance that allow isolation for each VPN's user. Often those firewall will set the VPN user land inside their own VLAN, even if isolated from each other, they will be isolated from all other VLAN too if no allow rule are present.
So if the VPN user need to access only a terminal server, then you create a rule to allow only 3389 port from that VLAN for that VPN's user.