Results 1 to 4 of 4
  1. #1
    Newbie
    Join Date
    Jan 2021
    Posts
    2

    Lightbulb Limiting client access to LAN addresses

    Hello,

    I recently started using Untangle in Bridge mode. I have a question about limiting client access to local addresses.

    I've enabled OpenVPN with two users : User A and User B.

    I want "User A" to be able to access remotely only one machine on the local network 192.168.1.10 and "User B" only one machine 192.168.1.20. I don't want routing client's web-traffic through the VPN so "Full Tunnel" is unchecked in OpenVPN options. As I understand if OpenVPN is not set up for Full Tunnel, it will not be routed through the firewall.

    Is there any way to this in Untangle ?

    Thanks in advance.
    Last edited by Kaeb; 01-19-2021 at 02:35 PM.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,789

    Default

    Yes, and it's crazy easy!

    Use your firewall app! Make a rule at the bottom:

    Block All VPN:
    Source interface: OpenVPN

    Block

    That rule will block everything coming in on the OpenVPN interface from getting anywhere.

    Now above that rule, you make a pass rule for each user that includes what they need.

    Source Interface: OpenVPN
    username: name of vpn client
    destination address: authorized machine

    Pass

    You can refine from there. Protocol, destination port, whatever you need.

    A new rule for each user. This may include a pass everything rule for some special user that needs it.

    I use these two rules on an Untangle right now to limit all VPN unless specifically authorized, so that remote users can only RDP to their respective workstations. It's enabled telecommuting quite nicely, and I don't have to worry about people connecting to the wrong place.

    The key is knowing the magic, the username field match in the firewall app will also match against the openvpn client name. And never forget rules are evaluated in order, so you want block rules at the BOTTOM of the list.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Jan 2021
    Posts
    2

    Default

    Thanks for you answer.

    I enabled "Full tunnel" in OpenVPN to be able to use the firewall and apply this rules.

    Yes your solution restricts client access to other Lan addresses, but enabling "Full tunnel" routes all the web-traffic through the VPN and the rule at the bottom (Block All VPN) blocks it (visible in Reports - Firewall - Blocked Events).

    I want users to keep their own public IPs when doing general web browsing.

    Is there a workaround to this ?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,789

    Default

    If you want your users to not use a full tunnel, you need to configure it not to use a full tunnel.

    The full tunnel option has nothing to do with what I just posted, and everything to do with configuring the VPN client to use the VPN for all Internet access.

    If you want them using their own internet, that's called SPLIT TUNNEL, and that's what you get when you don't enable full tunnel.

    So go disable full tunnel, and reconnect.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2