|
Title: Allow VPN user from specific real IP - Security Question Post by: kashifmax on Tuesday 08 May 2012, 07:27:23 pm Hi,
I hope all EFW Adminstrators are doing well. I have a security related question, if someone knows it. Can I allow a VPN user that can only connects with a designated Real IP (public IP) sitting in another branch connecting to the EFW2.5.1 ? Is it possible ? And how ? I know that I can create a VPN Traffic Rule with IP/MAC for the tap network. So if the user (member of admin) knows how to setup openvpn client (also knows where to copy certificate & conf file) than the user can install client in any machine. Also if the user is intelligent than he/she can set the IP/MAC as same as branch machine (tap network) in home pc or anywhere. Thank you Title: Re: Allow VPN user from specific real IP - Security Question Post by: mrkroket on Wednesday 09 May 2012, 12:26:51 am Except for the VPN firewall, as far as I know you can't directly assing an openvpnclient to a public IP.
Googling you get that. You must adapt it to Endian, might work. https://forums.openvpn.net/topic10286.html (https://forums.openvpn.net/topic10286.html) If you also administer the remote site and nobody more can access EFW to retrieve the certificate, use a Site to Site OpenVPN. Title: Re: Allow VPN user from specific real IP - Security Question Post by: kashifmax on Wednesday 09 May 2012, 05:08:15 pm The site to site is good only for less branches but if the branches are more than 5 than its very hard to implement net-to-net. The link you provide me is excellent, I will do some test and I'll post the output if I succeeded and I'll also searching the easier ways to do it if possible...
Thank you so much mrkroket :) |