Using CCD rules to manage untrusted devices in OpenVPN (was: Temporarily bring in external employees)

Hello everyone,
I don’t know if I’m in the right place in this forum, but I’ll “try” my luck.
We have IpFire as a firewall, we also have OpenVPN up and running and it’s running great.
We have 2 Roadwarriors and a base with a Net-To-Net connection.
Unfortunately, we now have to integrate a few “private” devices (2 computers, private property) and now I’m looking for a way to somehow bring them into the network without endangering it.
My first approach was to make a VirtualBox that only has a secure “line” with our IpFire/OpenVpn connection. But it failed because I didn’t find anything useful how to do that.
So I thought I’d ask you… the real specialists… how do you do it?
Maybe someone has a tip for me, would be very grateful!
Best regards

Welcome to our community.

I believe the simplest strategy to solve your problem revolves around OpenVPN configuration and IPFire’s firewall rules, helping you secure your network while incorporating these “private” devices.

A pivotal part of this strategy involves assigning static IP addresses to these non-trusted, private devices via OpenVPN. When these devices connect to your network, OpenVPN, with its client-specific configurations (also known as CCD directives), will always allocate the same IP address to each device. In other words, each private device will be consistently identifiable on your network, which simplifies network traffic management and security control.

Once you’ve assigned the static IPs, the next step is to design your firewall rules accordingly in IPFire. Firewall rules control the type and direction of network traffic that is permitted or denied. By identifying the static IP addresses of the private devices, you can create very precise rules that apply only to these devices. You might decide to restrict these devices to access only certain network resources or communicate via specific protocols or ports.

IPFire’s Web User Interface simplifies the process of creating and managing these rules, as you probably are already aware.

Remember that you can group any IP address together to assign common policies and manage the increasing complexity as more clients enter to your network.