Restrict VPN Access Using Filter Rules

Allowing VPN users onto your network brings decisions about what network resources and subnets that you will want to share with them. Both IPsec and OpenVPN include methods for sharing exported networks but sometimes you need to be more concerned about restricting resources.

The principle of least privilege is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.

When you export a network in OpenVPN or share a remote network in IPsec you are allowing all VPN users in that application to have access to the resources on that shared network. However, you may not want each VPN user to have access to every server, service, or resource on that subnet. Here's how you can further restrict your VPN users' access using Filter and Firewall rules.

Filter rules (located at Config > Network > Filter Rules) apply to, and are useful for, blocking traffic going through the Untangle server. They also apply to bypassed traffic. The Firewall application doesn't see bypassed traffic. This means if you want to block anything that's bypassed you should use a Filter Rule. Since IPsec traffic is often bypassed, a filter rule would be ideal for restricting access to certain resources to specified IPsec traffic.

For example, If you have an IPsec site-to-site tunnel where endpoint A is sharing the local network of and endpoint B is sharing the local network of If endpoint A does not want any of endpoint B's users to access a server addressed at you would create the following rule in the Filter rule section:

  1. Click Config at the top of the Admin screen.

  2. Click the button for Network.

  3. Click the Filter Rules tab.

  4. Click the Add button to create a new rule.

  5. Enter the information in the image below.
    vpn1.pngClicking the image above will load it, full-size, in a new window. 

  6. Click Done and then Save to apply the new rule.




Was this article helpful?
1 out of 5 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk