How to secure home side of site to site VPN
-
I got site to site working between my home office and company - pfsense plus on one side and ce on the other. So I was bouncing around from accessing the other network's servers and I remoted into the company site and started accessing my home servers... which I knew should work and I don't mind for myself but how to do prevent any other company side user from doing the same?
-
I used 2 rules in this order on my LAN interface:
- allow authorized devices to talk to the VPN network
- block all access to the VPN network
This only needs to be done on one side. 2 sides for safety.
You can also place the rules on the VPN interface to prevent to remote network from talking to un-authorized devices.Think carefully about what traffic will enter the interface and create rules to allow the good traffic and then rules to block the bad. Order is important.
-
I figured out how to limit access from Office side back to home by specifying just my workstation as the source to pass through to the vpn gateway. I am not using static routes to implement the connection just LAN rules to manage policy on both sides.
I did the above on the Office side and then realized I should also block on the Home side just in case someone else starts editing the configuration.
At home in the VPN interface I already had rule to pass all traffic so I changed it to clamp the source to only my Office workstation IP. I tested this by opening up the Office side rule to my whole network. It still blocked attempts to connect from other locations than my workstation.
Given the above do I need a blocking rule in the LAN interface? Right now if the source is not my workstation then all requests fall through to the default lan rules which seem to block any unwanted requests for access.
Thanks for your help.
-
@mooncaptain You only need the rules on one interface for each FW. Sounds like you are good to go.
