Restricting VPN Access Using Filter Rules or Firewall Rules
Overview
Allowing VPN users onto your network brings decisions about what network resources should be available to them. All our VPN technologies include methods for sharing exported networks, but sometimes you need to be more concerned about restricting resources.
The principle of least privilege is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.
When you create a VPN route to an internal subnet, you are allowing all VPN users access to the resources on that shared network. However, you may not want each VPN user to have access to every server, service, or resource on that subnet.
Choosing the appropriate method
There are two places where you can create rules to restrict users: Filter Rules and Firewall application Rules. Filter Rules are useful for restricting based on layer-3 information: IP address, source interface (including the VPN interface), destination port, &c. They're also necessary to restrict traffic which is bypassed: traffic which the Firewall app can't see.
Firewall application Rules give you some layer-7 options to use instead of just IP address or interface: username, client country, and so forth. This method may be preferable in Zero Trust environments, as it leverages username/identity.
Using Filter Rules to restrict by IP or interface
Let's say you have a site-to-site tunnel where endpoint A is sharing its local network 192.168.102.0/24 and endpoint B is sharing its local network 10.10.0.0/16. If endpoint A does not want any of endpoint B's users to access a server addressed at 192.168.102.5, you would create the following Filter Rule:
- Head to Config > Network > Filter Rules.
- Click the Add button to create a new rule.
- Use the conditions Source Address is and Destination Address is:
- Click Done and then Save to apply the new rule.
Restricting to a single endpoint
You can also use this approach to restrict traffic to a single endpoint, like a file server or a user's own workstation. For more details on this approach, please refer to this article: How can I restrict VPN users to a single server or subnet?
Using Firewall Rules to restrict by username
The process & logic used to create Firewall Rules is the same as outlined above, but you'll make your changes in Apps > Firewall > Rules instead.
Continuing the example above, let's say William's connection has the username william.smith.openvpn. We can use this username in place of his IP address and interface, since all OpenVPN-connected traffic will be associated with that username. The rule looks a little bit different but has the same result:
Follow
Comments
0 comments
Please sign in to leave a comment.