Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restrict VPN Client to allow only Specific Traffic and block all

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 450 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sreyas
      last edited by

      I am looking for a solution to block all traffic except ssh to one specific system

      I had assigned one of my VPN user with static IP [Through Client Specific Override]
            I need to restrict this user from accessing any of my network except one server through ssh

      Basicaly
      Deny all
      Allow SSH only to One IP

      Regards
      Sreyas

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Above your rule that allows all the vpn users full access, create two rules.

        1. allow the static ip your giving him acccess to the server for ssh

        2. block the static ip your giving him acccess to any

        If he tries to connect elsewhere or to the server using any other protocol he'll be blocked.

        Rules are read from the top down so your logic is a bit off.

        Once he's on the server via ssh he can ssh, telnet, etc … anywhere, you'll need to restrict what he can do there too imo.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • S
          sreyas
          last edited by

          I tried this for my LAN users but failed, may be I had done Wrong. The purpose was to block RDC 3389

          1. I had created an Alias for some of our users with their IP
          2. I had created a rule on LAN Interface with Allow All for this Alias as Source
          3. Just bellow I had added Deny Port range MS RDP 3389 for those users

          Is this the same way I need to configure for VPN.

          On which interface do I configure for OpenVPN users [LAN / WAN / OVPN ]

          I am bit confused.

          Regards
          Sreyas

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            @sreyas:

            I tried this for my LAN users but failed, may be I had done Wrong. The purpose was to block RDC 3389

            1. I had created an Alias for some of our users with their IP
            2. I had created a rule on LAN Interface with Allow All for this Alias as Source
            3. Just bellow I had added Deny Port range MS RDP 3389 for those users

            Is this the same way I need to configure for VPN.

            On which interface do I configure for OpenVPN users [LAN / WAN / OVPN ]

            I am bit confused.

            Regards
            Sreyas

            Post a screenshot of your rules, the rules go on the interface where the traffic enters the firewall.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.