How to setup a vpn that will just give access to ports 143, 993, 443 on the public interface and to nothing else in the LAN

shaw22

Hello,
I am on 2.5.1 community version.

I have an existing vpn tunnel network 10.0.182.0/24 that lets users access IPV4 local network 192.168.0.0/21

push "route 192.168.0.0 255.255.255.0 10.0.182.1 1";
reneg-sec 0;

Can I run another VPN on the same server and create client certificate and when these clients connect, they will not have access to 192.168.0.0/21
but have only access to ports 143,993,443 on 110.202.43.253 (WAN IP).

Currently these ports 143,993,443 on 110.202.43.253 (WAN IP) are open and I am getting hundreds of hack attempts by brute force password attacks every day. These ports are used by mobile users to send/receive emails from our exchange server.

These ports 143,993,443 hitting the wan ip gets forwarded to internal lan ip 192.168.0.240 of our exchange server.

Thanks!

johnpoz

sure you can limit what the vpn allows in the vpn rules.

If you want to run a different instance. It would still be the same rule tab.. But you could limit the tunnel network you hand out for your 2nd instance to only the IPs and ports you want for destination.

And the other instance tunnel network allow all, etc

There is really no reason to add push routes - this would be done automatic when you create the local networks in the vpn configuration.

Your users might not like having to vpn to check their email through :) Users can be finicky..

shaw22

@johnpoz Thanks!, Is there a step by step instruction on how to do this?

shaw22

@johnpoz - please see the image at this link and

https://imgur.com/xjQIHyv

and guide

thanks

johnpoz

Your going to run a different instance - why would you not just run through the wizard? Pick a different port say 1195.. Then only thing you have to change is the tunnel network.. Your local network can be the 192.168/16 if you want.. But you only have 1 network locally - and is it a /16. Why? Do you have 65k some devices?

shaw22

We have a /16 as we ran out of ip address's in /24.

Currently for exchange owa, mail.ford.com is pointing towards 110.202.43.253. And the ports are forwarded to the exchange server on the LAN 192.168.0.240

once the vpn is connected, how can i make sure that mail.ford.com resolves to 192.168.0.240 and that users are unable to ping or reach any other machines on the local LAN

johnpoz

you ran out of /24 Ips - ok then how about a /23 or /22 ;)

The jump from /24 to /16 is nuts. You use that as your mask on your devices or you just using it as a routing summary?

To be honest that is not here or there to be honest - but it one of my trigger points is all ;) Insanely huge networks used for no valid reason.

The only thing you need to do is fire up another instance.. The details of which are up to you, the really the only thing needs to change is has to be an actual different instance.. so another port say 1195, and use say 10.0.183.0/24 as the tunnel network. Then create your rules in your openvpn interface for 10.0.182 and 10.0.183 that limit or allow what you want those clients to be able to do.