EFW Support

Support => VPN Support => Topic started by: kashifmax on Tuesday 08 May 2012, 07:27:23 pm



Title: Allow VPN user from specific real IP - Security Question
Post by: kashifmax on Tuesday 08 May 2012, 07:27:23 pm
Hi,
I hope all EFW Adminstrators are doing well.
I have a security related question, if someone knows it. Can I allow a VPN user that can only connects with a designated Real IP (public IP) sitting in another branch connecting to the EFW2.5.1 ? Is it possible ? And how ?
I know that I can create a VPN Traffic Rule with IP/MAC for the tap network. So if the user (member of admin) knows how to setup openvpn client (also knows where to copy certificate & conf file) than the user can install client in any machine. Also if the user is intelligent than he/she can set the IP/MAC as same as branch machine (tap network) in home pc or anywhere.

Thank you


Title: Re: Allow VPN user from specific real IP - Security Question
Post by: mrkroket on Wednesday 09 May 2012, 12:26:51 am
Except for the VPN firewall, as far as I know you can't directly assing an openvpnclient to a public IP.
Googling you get that. You must adapt it to Endian, might work.
https://forums.openvpn.net/topic10286.html (https://forums.openvpn.net/topic10286.html)

If you also administer the remote site and nobody more can access EFW to retrieve the certificate, use a Site to Site OpenVPN.


Title: Re: Allow VPN user from specific real IP - Security Question
Post by: kashifmax on Wednesday 09 May 2012, 05:08:15 pm
The site to site is good only for less branches but if the branches are more than 5 than its very hard to implement net-to-net. The link you provide me is excellent, I will do some test and I'll post the output if I succeeded and I'll also searching the easier ways to do it if possible...

Thank you so much mrkroket :)