Site to site OpenVPN - restrict access to server LAN resources
-
Sorry if this has been mentioned before, if so please point to the relevant thread. I need to create a site to site OpenVPN but restrict access restrict to server LAN resources. Specifically, I need to allow access from specific machines on the "client" side to specific machines to the "server" side.
Best regards
Kostas
-
Connections coming IN to an OpenVPN endpoint are firewalled using rules on the OpenVPN interface.
If you want the remote site to only have access to certain hosts:ports, create firewall aliases/pass rules with those hosts:ports as the destination.
In this example, 172.29.64.0/24 is my local OpenVPN server that only I can connect into, so it's far more permissive. Everything else is from work site-to-site. The local_vpn_hosts alias includes local IPs for a copier/printer, IP phone, etc, that the work VPN needs to initiate connections to.
Note that my connections to the remote site are governed by rules on the remote site's OpenVPN interface.
![Screen Shot 2014-09-06 at 10.37.27 AM.png](/public/imported_attachments/1/Screen Shot 2014-09-06 at 10.37.27 AM.png)
![Screen Shot 2014-09-06 at 10.37.27 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-06 at 10.37.27 AM.png_thumb)