Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 19 October 2019, 04:33:25 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
13950 Posts in 4247 Topics by 6001 Members
Latest Member: aerovillage
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Allow VPN user from specific real IP - Security Question
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Allow VPN user from specific real IP - Security Question  (Read 3971 times)
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« on: Tuesday 08 May 2012, 07:27:23 pm »

Hi,
I hope all EFW Adminstrators are doing well.
I have a security related question, if someone knows it. Can I allow a VPN user that can only connects with a designated Real IP (public IP) sitting in another branch connecting to the EFW2.5.1 ? Is it possible ? And how ?
I know that I can create a VPN Traffic Rule with IP/MAC for the tap network. So if the user (member of admin) knows how to setup openvpn client (also knows where to copy certificate & conf file) than the user can install client in any machine. Also if the user is intelligent than he/she can set the IP/MAC as same as branch machine (tap network) in home pc or anywhere.

Thank you
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Wednesday 09 May 2012, 12:26:51 am »

Except for the VPN firewall, as far as I know you can't directly assing an openvpnclient to a public IP.
Googling you get that. You must adapt it to Endian, might work.
https://forums.openvpn.net/topic10286.html

If you also administer the remote site and nobody more can access EFW to retrieve the certificate, use a Site to Site OpenVPN.
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #2 on: Wednesday 09 May 2012, 05:08:15 pm »

The site to site is good only for less branches but if the branches are more than 5 than its very hard to implement net-to-net. The link you provide me is excellent, I will do some test and I'll post the output if I succeeded and I'll also searching the easier ways to do it if possible...

Thank you so much mrkroket Smiley
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.031 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com