Allowing VPN users onto your network brings decisions about what network resources and subnets that you will want to share with them. Both IPsec and OpenVPN include methods for sharing exported networks but sometimes you need to be more concerned about restricting resources.
The principle of least privilege is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.
When you export a network in OpenVPN or share a remote network in IPsec you are allowing all VPN users in that application to have access to the resources on that shared network. However, you may not want each VPN user to have access to every server, service, or resource on that subnet.
Here's how you can further restrict your VPN users' access using Filter and Firewall rules. Filter Rules are useful for restricting based on layer-3 information: IP address, source interface (including the OpenVPN interface), destination port, &c.
If you'd like to use AD usernames, see below for using Firewall Rules instead.
Filter rules (located at Config > Network > Filter Rules) apply to, and are useful for, blocking traffic going through the Untangle server. They also apply to bypassed traffic. The Firewall application doesn't see bypassed traffic. This means if you want to block anything that's bypassed you should use a Filter Rule. Since IPsec traffic is often bypassed, a filter rule would be ideal for restricting access to certain resources to specified IPsec traffic.
For example, If you have an IPsec site-to-site tunnel where endpoint A is sharing the local network of 192.168.102.0/24 and endpoint B is sharing the local network of 10.10.0.0/16. If endpoint A does not want any of endpoint B's users to access a server addressed at 192.168.102.5 you would create the following rule in the Filter rule section:
- Click Config at the top of the Admin screen.
- Click the button for Network.
- Click the Filter Rules tab.
- Click the Add button to create a new rule.
- Enter the information in the image below.
Clicking the image above will load it, full-size, in a new window.
- Click Done and then Save to apply the new rule.
Using Firewall application rules gives you some layer-7 options to use instead of just IP address or interface: AD usernames, client country, and so forth. For these, head to Apps > Firewall > Rules. Click Add in the top left-hand corner, then choose your conditions the same as you would for Filter Rules above.Follow