Site to site OpenVPN - restrict access to server LAN resources



  • Sorry if this has been mentioned before, if so please point to the relevant thread. I need to create a site to site OpenVPN but restrict access restrict to server LAN resources. Specifically, I need to allow access from specific machines on the "client" side to specific machines to the "server" side.

    Best regards

    Kostas


  • LAYER 8 Netgate

    Connections coming IN to an OpenVPN endpoint are firewalled using rules on the OpenVPN interface.

    If you want the remote site to only have access to certain hosts:ports, create firewall aliases/pass rules with those hosts:ports as the destination.

    In this example, 172.29.64.0/24 is my local OpenVPN server that only I can connect into, so it's far more permissive.  Everything else is from work site-to-site.  The local_vpn_hosts alias includes local IPs for a copier/printer, IP phone, etc, that the work VPN needs to initiate connections to.

    Note that my connections to the remote site are governed by rules on the remote site's OpenVPN interface.

    ![Screen Shot 2014-09-06 at 10.37.27 AM.png](/public/imported_attachments/1/Screen Shot 2014-09-06 at 10.37.27 AM.png)
    ![Screen Shot 2014-09-06 at 10.37.27 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-06 at 10.37.27 AM.png_thumb)


Log in to reply