Hi,
i am currently using an on-prem RMM service for my clients. I currently allow NAT from known clients ips to my RMM ports. I do not expose those ports to any other IP.
However, i want to use the RMM on client laptops when they are not onsite. I do not trust all these laptops, some are residential users and some are personal devices.
Can i create a VPN (using OPNsense) to a “dead in the water” local network, using split-tunnel with the only route being to/from RMM ports, with no other traffic allowed? I basically just want to route RMM traffic so that it comes from a known IP.
Is VPN secure used in this way? Is there any risk of clients reaching local network resources?
Traffic from the VPN clients should behave the same as traffic from onsite clients. They do what you allow them to do. Drop them in a separate zone and deny all traffic that isn’t to your specific resources. Including denying traffic to WAN through the VPN tunnels.
Tl;dr, they’re just as likely to reach something they shouldn’t as LAN users.
The VPN doesn’t replace a firewall. It sounds like what you need is a firewall, where you can set up a DMZ behind it, park the RMM, and connect both your local and off-prem clients. As long as you explicitly tell the firewall what’s allowed to get to the DMZ and then “deny any any,” you shouldn’t need to worry about resource leakage.
Thanks.
Rmm is already in a DMZ on the same firewall as the VPN server