I'm involved in the setup of a demo/user lab environment comprising several racks of server kit. The idea is that potential hardware/software customers can be given a VPN account that will allow them into specific kit only. The main challenge is that the users can do whatever they want with the servers in terms of OS (Windows, Linux, ESXi, Xen...), so I believe isolating them to a specific VLAN, with their kit on the matching switch ports, is a possible solution.
I envisage using a bastion server to manage the VPN accounts and was looking at ClearOS because its GUI makes setup/access control easier for the lab techs to work with, but I can't see a way of configuring the VLAN control so that, for example, VPN user 1 is on VLAN 10 and VPN user 2 is on VLAN 15..etc
I'm hoping to end up with a GUI-based setup where the work effort extends to setting up a user VPN account, specifying their target VLAN and making sure their target systems are connected to the relevant bank of switch ports. In essence, I'm hoping to avoid the need for regular editing of tons of iptables stuff etc..
From some work I did a few years back, I also have it in my mind that a Mikrotik box with RouterOS might do this kind of thing, but I don't have one to play with right now.
I have asked this question over at the ClearOS forums, but ("crickets") so does anyone here have experience with this type of setup - any guidance or thoughts appreciated.
Thanks.
I am not familiar with ClearOS but with Mikrotik you can definitely do what you need.
Either by using it's GUI (Winbox), or web interface (webfig) or standard terminal (SSH/Telnet).
Since what you describe (each VPN on its own VLAN) needs a few (repetitive) steps for every new user on the system you could also use Mikrotik's API to manage what you need using your own workflow.
So you could write your own GUI (in PHP for example) and make it as simple as you want while in the background it may run 5-10 commands on Mikrotik that end users don't need or care to know about :)