Limit IP addresses that can connect to VPN?
I recently setup the VPN server functionality so that my sister can connect from school in order to securely browse the web when at school. One question that I had though, was whether or not it's possible to add rules to limit where a VPN connection can be established from? Are there specific rules that I'd need to setup to limit access? Hoping to add an extra layer of protection since it's just that one device that's connecting right now.
-
Thanks Andy. Won't that just limit what devices on the VPN can connect to, rather than from what IP addresses devices can connect to the VPN? For example, if I apply a rule blocking 10.10.10.10, then won't that just restrict devices that are connected to the VPN from being able to access 10.10.10.10, rather than preventing it from being able to establish a VPN connection?
-
It changes a little bit, but is always within a specific CIDR block so I was hoping to setup a rule to allow connections from just that block for now.
I haven't set up VPN clients on other devices just yet, but realize that it would be near impossible to set that up by IP address. Since I don't plan to set those up anytime soon, I was hoping to at least lock down access to the VPN server in the meantime.
-
Finally got around to trying this out today. Even if I add a rule to the OpenVPN network that blocks the IP address that my phone's cellular connection is showing, I'm still able to create an OpenVPN connection from my phone back to the Firewalla Gold. That said, it appears there isn't a way to be able to lock down what IP addresses can initiate a VPN connection.
-
This is correct. Rules configured in the app will not apply to the traffic initiated from/going to Firewalla itself, including the OpenVPN server running on Firewalla. Because we don't want Firewalla itself behave abnormally just because users configured something wrong by mistake.
so for now, you will have to manage the VPN profile carefully, do not share it to others.
-
Just curious if there are any updates on this?
So for clarity, currently the rules only apply to internal networks? So if I create a rule to block a region, that rule can only be applied at LAN level only (traffic may still flow into the FWG but then would be caught "internally" by the rule)? Likewise, with the VPN question above, any rules I create to limit access to the VPN really are rules that limit access into the LAN but would not apply to the external port on the FWG?
-
I haven’t heard of any updates to how the rules for the VPN segment apply in recent releases. That’s my understanding as well.
Someone could in theory connect from another country (assuming your OVPN or WireGuard config is breached), and then the rules that are specified would be applied to any traffic originating from the client that’s connected to the VPN. So if you block country A and allow country B, someone from country A could still connect, but traffic flowing from the client at that point wouldn’t be allowed to country A (eg couldn’t connect to a website in that country) but they would be allowed to send traffic to country B.
-
Although we have the ability to manually create custom inbound rules for Port Forwards, I do not believe we have the ability to customize the inbound rule for OpenVPN or Wireguard VPN.
Firewall rules applied to the 'WireGuard' interface that is visible in Firewalla, are outbound rules.
Please sign in to leave a comment.
Comments
10 comments