Restrict VPN Client to allow only Specific Traffic and block all



  • I am looking for a solution to block all traffic except ssh to one specific system

    I had assigned one of my VPN user with static IP [Through Client Specific Override]
          I need to restrict this user from accessing any of my network except one server through ssh

    Basicaly
    Deny all
    Allow SSH only to One IP

    Regards
    Sreyas


  • Galactic Empire

    Above your rule that allows all the vpn users full access, create two rules.

    1. allow the static ip your giving him acccess to the server for ssh

    2. block the static ip your giving him acccess to any

    If he tries to connect elsewhere or to the server using any other protocol he'll be blocked.

    Rules are read from the top down so your logic is a bit off.

    Once he's on the server via ssh he can ssh, telnet, etc … anywhere, you'll need to restrict what he can do there too imo.



  • I tried this for my LAN users but failed, may be I had done Wrong. The purpose was to block RDC 3389

    1. I had created an Alias for some of our users with their IP
    2. I had created a rule on LAN Interface with Allow All for this Alias as Source
    3. Just bellow I had added Deny Port range MS RDP 3389 for those users

    Is this the same way I need to configure for VPN.

    On which interface do I configure for OpenVPN users [LAN / WAN / OVPN ]

    I am bit confused.

    Regards
    Sreyas


  • Galactic Empire

    @sreyas:

    I tried this for my LAN users but failed, may be I had done Wrong. The purpose was to block RDC 3389

    1. I had created an Alias for some of our users with their IP
    2. I had created a rule on LAN Interface with Allow All for this Alias as Source
    3. Just bellow I had added Deny Port range MS RDP 3389 for those users

    Is this the same way I need to configure for VPN.

    On which interface do I configure for OpenVPN users [LAN / WAN / OVPN ]

    I am bit confused.

    Regards
    Sreyas

    Post a screenshot of your rules, the rules go on the interface where the traffic enters the firewall.