Restrict VPN Access Using Filter Rules


Allowing VPN users onto your network brings decisions about what network resources should be available to them. All our VPN technologies include methods for sharing exported networks, but sometimes you need to be more concerned about restricting resources.

The principle of least privilege is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.

When you create a VPN route to an internal subnet, you are allowing all VPN users access to the resources on that shared network. However, you may not want each VPN user to have access to every server, service, or resource on that subnet.

Choosing the appropriate method

There are two places where you can create rules to restrict users: Filter Rules and Firewall application Rules. Filter Rules are useful for restricting based on layer-3 information: IP address, source interface (including the VPN interface), destination port, &c. They're also necessary to restrict traffic which is bypassed: traffic which the Firewall app can't see.

Firewall application Rules give you some layer-7 options to use instead of just IP address or interface: username, client country, and so forth. This method may be preferable in Zero Trust environments, as it leverages username/identity.


Using Filter Rules to restrict by IP or interface

Let's say you have a site-to-site tunnel where endpoint A is sharing its local network and endpoint B is sharing its local network If endpoint A does not want any of endpoint B's users to access a server addressed at, you would create the following Filter Rule:

  1. Head to ConfigNetwork > Filter Rules.

  2. Click the Add button to create a new rule.

  3. Use the conditions Source Address is and Destination Address is:

  4. Click Done and then Save to apply the new rule.

Restricting to a single endpoint

You can also use this approach to restrict traffic to a single endpoint, like a file server or a user's own workstation. For more details on this approach, please refer to this article: How can I restrict VPN users to a single server or subnet?



Using Firewall Rules to restrict by username

The process & logic used to create Firewall Rules is the same as outlined above, but you'll make your changes in Apps > Firewall > Rules instead.

Continuing the example above, let's say William's connection has the username william.smith.openvpn. We can use this username in place of his IP address and interface, since all OpenVPN-connected traffic will be associated with that username. The rule looks a little bit different but has the same result:

Was this article helpful?
2 out of 8 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk