Hello,

I'm playing around with OS X server VPN and was wondering if there is any way to restrict access to only certain IP address (even better to specific ports)?

Clients connect to say 192.168.1.0/24 and I only want them to be able to access an internal web server at 192.168.1.100 and nothing else on the subnet.

Any ideas on the best way to achieve this? Could I use the built in firewall with OS X server?

..or should I have the client VPN network be on a different subnet (eg. 192.168.2.0/24) and then have an intermediate router/firewall take care of restricting access?

Any suggestions/examples would be greatly appreciated!

Thanks!
-Paul

Every VPN service I have ever configure has had the ability to restrict access. Even more to the point, a Cisco ASA can allow different access for different users.

10 seconds with Google, and guess what I found:

http://www.peachpit.com/articles/article.aspx?p=680900&seqNum=4

Every VPN service I have ever configure has had the ability to restrict access. Even more to the point, a Cisco ASA can allow different access for different users.

10 seconds with Google, and guess what I found:

http://www.peachpit.com/articles/article.aspx?p=680900&seqNum=4

Thanks for the response, I'd already read that, but it's not what I'm after. That article seems to be showing how to restrict certain users from establishing a connection to the VPN service.

I'm trying to restrict access to only certain network addresses once a user connects to the OS X server VPN.


Thanks.
-Paul

Well here's another stab:

http://www.maclive.net/sid/132

Scroll down to Network Routing Definitions. Define a host (an IP with a 255.255.255.255 mask) and define as private. Also, whatever you do, avoid PPTP.

:)

Thanks, I'd already tried/read that as well. For the record I'm using OS X server 10.5.

A network routing definition does seem like the way to go, but for the life of me I cannot get it to restrict to a single IP address, even when I use a /32 network mask.

192.168.1.100/255.255.255.255 Private providse no access at all to anything.

192.168.1.100/255.255.255.255 Public provided access, but to all machines on the /24 subnet.

I'm using an iPhone to test the connectivity from outside the network, and I'm starting to wonder if maybe it's a quirk with the VPN client.

Could be, but you may also need to add in the external and internal IPs of the VPN server.

You could try allocating your VPN client addrs from a different CIDR pool, and then firewall them out of everything but the one host to which you want them to be able to connect.

So I just wanted to follow up with this to say that I have things working in an acceptable way.

I basically did what extrachripsy suggested and created a separate subnet for the VPN pool of addresses, and also on that same (VPN) server I enabled the firewall with rules to prevent access to the main LAN except for the intranet server.

Thanks for the responses and suggestions!

-Paul