Site to site OpenVPN - restrict access to server LAN resources

costasppc

Sorry if this has been mentioned before, if so please point to the relevant thread. I need to create a site to site OpenVPN but restrict access restrict to server LAN resources. Specifically, I need to allow access from specific machines on the "client" side to specific machines to the "server" side.

Best regards

Kostas

Derelict

Connections coming IN to an OpenVPN endpoint are firewalled using rules on the OpenVPN interface.

If you want the remote site to only have access to certain hosts:ports, create firewall aliases/pass rules with those hosts:ports as the destination.

In this example, 172.29.64.0/24 is my local OpenVPN server that only I can connect into, so it's far more permissive. Everything else is from work site-to-site. The local_vpn_hosts alias includes local IPs for a copier/printer, IP phone, etc, that the work VPN needs to initiate connections to.

Note that my connections to the remote site are governed by rules on the remote site's OpenVPN interface.

![Screen Shot 2014-09-06 at 10.37.27 AM.png](/public/imported_attachments/1/Screen Shot 2014-09-06 at 10.37.27 AM.png)
![Screen Shot 2014-09-06 at 10.37.27 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-06 at 10.37.27 AM.png_thumb)