OS X server VPN question. Restricting LAN access.

[paulpet]

Hello,

I'm playing around with OS X server VPN and was wondering if there is any way to restrict access to only certain IP address (even better to specific ports)?

Clients connect to say 192.168.1.0/24 and I only want them to be able to access an internal web server at 192.168.1.100 and nothing else on the subnet.

Any ideas on the best way to achieve this? Could I use the built in firewall with OS X server?

..or should I have the client VPN network be on a different subnet (eg. 192.168.2.0/24) and then have an intermediate router/firewall take care of restricting access?

Any suggestions/examples would be greatly appreciated!

Thanks!
-Paul

 

[belvdr]

Every VPN service I have ever configure has had the ability to restrict access. Even more to the point, a Cisco ASA can allow different access for different users.

10 seconds with Google, and guess what I found:

http://www.peachpit.com/articles/article.aspx?p=680900&seqNum=4

 

[paulpet]

Every VPN service I have ever configure has had the ability to restrict access. Even more to the point, a Cisco ASA can allow different access for different users.

10 seconds with Google, and guess what I found:

http://www.peachpit.com/articles/article.aspx?p=680900&seqNum=4

Thanks for the response, I'd already read that, but it's not what I'm after. That article seems to be showing how to restrict certain users from establishing a connection to the VPN service.

I'm trying to restrict access to only certain network addresses once a user connects to the OS X server VPN.


Thanks.
-Paul

 

[belvdr]

Well here's another stab:

http://www.maclive.net/sid/132

Scroll down to Network Routing Definitions. Define a host (an IP with a 255.255.255.255 mask) and define as private. Also, whatever you do, avoid PPTP.

 

[paulpet]

Thanks, I'd already tried/read that as well. For the record I'm using OS X server 10.5.

A network routing definition does seem like the way to go, but for the life of me I cannot get it to restrict to a single IP address, even when I use a /32 network mask.

192.168.1.100/255.255.255.255 Private providse no access at all to anything.

192.168.1.100/255.255.255.255 Public provided access, but to all machines on the /24 subnet.

I'm using an iPhone to test the connectivity from outside the network, and I'm starting to wonder if maybe it's a quirk with the VPN client.

 

[belvdr]

Could be, but you may also need to add in the external and internal IPs of the VPN server.

 

[extrachrispy]

You could try allocating your VPN client addrs from a different CIDR pool, and then firewall them out of everything but the one host to which you want them to be able to connect.

 

[paulpet]

Success!

So I just wanted to follow up with this to say that I have things working in an acceptable way.

I basically did what extrachripsy suggested and created a separate subnet for the VPN pool of addresses, and also on that same (VPN) server I enabled the firewall with rules to prevent access to the main LAN except for the intranet server.

Thanks for the responses and suggestions!

-Paul