Limit IP addresses that can connect to VPN?

Comments

10 comments

  • Avatar
    Andy brown

    Go into the VPN network tab then click on rules. Add your Allow or block rules there.

    0
    Comment actions Permalink
  • Avatar
    Mike Rodrigues

    Thanks Andy. Won't that just limit what devices on the VPN can connect to, rather than from what IP addresses devices can connect to the VPN? For example, if I apply a rule blocking 10.10.10.10, then won't that just restrict devices that are connected to the VPN from being able to access 10.10.10.10, rather than preventing it from being able to establish a VPN connection?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Is your IP address changing from the remote?  It is going to be very difficult to apply a rule if the remote IP is not fixed.

    0
    Comment actions Permalink
  • Avatar
    Mike Rodrigues

    It changes a little bit, but is always within a specific CIDR block so I was hoping to setup a rule to allow connections from just that block for now.

    I haven't set up VPN clients on other devices just yet, but realize that it would be near impossible to set that up by IP address. Since I don't plan to set those up anytime soon, I was hoping to at least lock down access to the VPN server in the meantime.

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Try only allowing CIDR range from the school and denying everything else. Not tried any of these rules in the vpn so no idea if they work.

    0
    Comment actions Permalink
  • Avatar
    Mike Rodrigues

    Finally got around to trying this out today. Even if I add a rule to the OpenVPN network that blocks the IP address that my phone's cellular connection is showing, I'm still able to create an OpenVPN connection from my phone back to the Firewalla Gold. That said, it appears there isn't a way to be able to lock down what IP addresses can initiate a VPN connection.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    This is correct. Rules configured in the app will not apply to the traffic initiated from/going to Firewalla itself, including the OpenVPN server running on Firewalla. Because we don't want Firewalla itself behave abnormally just because users configured something wrong by mistake.

    so for now, you will have to manage the VPN profile carefully, do not share it to others.

    0
    Comment actions Permalink
  • Avatar
    A M

    Just curious if there are any updates on this?

    So for clarity, currently the rules only apply to internal networks? So if I create a rule to block a region, that rule can only be applied at LAN level only (traffic may still flow into the FWG but then would be caught "internally" by the rule)? Likewise, with the VPN question above, any rules I create to limit access to the VPN really are rules that limit access into the LAN but would not apply to the external port on the FWG?

     

     

    0
    Comment actions Permalink
  • Avatar
    Mike Rodrigues

    I haven’t heard of any updates to how the rules for the VPN segment apply in recent releases. That’s my understanding as well.

    Someone could in theory connect from another country (assuming your OVPN or WireGuard config is breached), and then the rules that are specified would be applied to any traffic originating from the client that’s connected to the VPN. So if you block country A and allow country B, someone from country A could still connect, but traffic flowing from the client at that point wouldn’t be allowed to country A (eg couldn’t connect to a website in that country) but they would be allowed to send traffic to country B.

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Although we have the ability to manually create custom inbound rules for Port Forwards, I do not believe we have the ability to customize the inbound rule for OpenVPN or Wireguard VPN.

     

    Firewall rules applied to the 'WireGuard' interface that is visible in Firewalla, are outbound rules.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.