How can I restrict VPN users to a single server or subnet?


You may wish to enable remote VPN connections to your network, but only to a specific endpoint(s): a user's office workstation, for example, or a group of file servers. 

These instructions are not specific to any VPN and can be used for remote clients connected by WireGuard, OpenVPN, or IPsec/IKE.


Filter Rules vs. Firewall rules

Filter Rules are generally preferable because the rule operates "lower" in the network stack, ensuring it takes effect "earlier" in the session's processing. This saves system resources and eliminates issues around application processing, but it does limit your criteria options to those available at layer 3: IP addresses, ports, and interfaces.

Firewall application Rules offer a broader selection of criteria, including layer-7 information such as usernames, client countries, and so on, but this introduces potential complications:

  1. The rule requires the traffic is processed at the application layer, meaning it can't be bypassed.
  2. The rule might be confined to a specific Policy Manager policy, which may make it unreliable.

Firewall Rules are required if you are restricting access by username, which is preferable in a Zero Trust environment.


Example restrictions

This section contains two example restrictions. Please note that each uses the operator is NOT, which can only take a single value. You cannot comma-separate multiple entries when using is NOT.


Allowing all VPN users to to only one interface or subnet

This can be used when you'd like to restrict your remote users to a single interface or subnet, such as a LAN containing file servers or printers.

Create your rule using these conditions:

  • Source Interface is [VPN your remote clients use]
  • Destination Interface is NOT [allowed interface]
    • you can also use Destination Address is NOT [subnet in CIDR notation]

Set the action type to 'block', blocking any traffic that does not meet your rule criteria.

In this example, users connected to the network via L2TP are able to access Interface 3, but no other interfaces. Note that this rule will block internet access through the NG Firewall, meaning that full-tunnel VPN connections will not have internet access.


Allowing a specific user to only one internal resource

This is useful for allowing the user to connect to only one device, such as their office workstation or a file server.

Create your rule using these conditions:

  • Source Address is [client's internal IP address when connected to VPN]
  • Destination Address is NOT [allowed IP address]

Set the action type to 'block', blocking any traffic that does not meet your rule criteria.

In this example, William's laptop uses the IP when connected via OpenVPN. This device is allowed to access a server at, but nothing else inside of the network.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk