Hello, whats the best way to go about limiting users with VPN access to my network so they can only access specific servers?
I was hoping there was a way to do it with one vpn server, because my idea was to have a vpn server in each vlan which is excessive.
The scenario is I have a homelab at home and want my friends to be able to access one or two servers I have set up, but have full access to my network if I am out and about. I currently have a pfsense router, juniper switch and some virtual servers and other things here and there.
You need a split tunneling profile for the VPN and then create the necessary firewall rules between the inside network of the VPN and the destinations.
If VPN ninside network is Y and VPN user 1 only needs access to (some IP address called X) then their split tunneling profile would only include X/32 and their network interface on their end inherits a route to X/32
And your firewall rule would set policy accessvpn-to-x source address y/? destination x port ? permit
With a access VPN a user logs into the VPN and a network adapter is created on their machine that contains routes to subnets.allowedcin the split tunnel profile of the VPN config assigned to the user or role of the user
The VPN has an outside interface (public IP) and a inside interface. You assign a network to the inside range. When a user authenticates one of the addresses in that network is assigned to them.
So if you want a user to only access a certain network or just a IP that would be configured in the profile.
You will need a firewall rule to allow the two networks to communicate though you can get around that I guess if it’s all on the same network