VPN network limitation


  • BINNED

    Not really coding help, but there's no better category...

    I have a VPN (PPTP) server set up. Users have been created and are getting IPs through DHCP from a router the machine is physically connected to.

    What I would like to do now is:

    1. Limit users to be able to access only certain IPs, preferably based on the username
    2. Less imporant, but desirable: provide automatic routes to them when they connect so they don't have to screw around with that manually (especially a pain on Windows). All users are fairly competent though, so it's not a huge deal.

    The server itself is running Debian. I am fine with creating local users and relating them to VPN usernames if required. If I can do it using iptables great, if I need additional software, fine.

    I'm really not a network guy, but there's no one else who can do this shit, unfortunately. Google is being fucking useless, either there are no good instructions or I'm searching for wrong stuff, so I'm asking here.


  • Discourse touched me in a no-no place

    @Onyx said:

    Limit users to be able to access only certain IPs, preferably based on the username

    Sounds like giving each user their own VPN with its own firewall rules. Not enough coffee yet to be sure, but smells a bit off…


  • BINNED

    @dkf said:

    Sounds like giving each user their own VPN with its own firewall rules. Not enough coffee yet to be sure, but smells a bit off…

    It's a bit of a dumb setup due to things out of my control, yeah.

    Maybe I phrased it so that it seems like more micromanagement than it is. Basically, I need two groups of users: one that can access anything on the network, and one that can access only certain machines. I want to limit it by IPs since there are samba shares and whatnot on some segments of the network(s) that are mostly unsecured within the local network.

    The VPN connects to a machine at 10.0.0.XX. I want the limited group of users to only have access to that machine and (at the moment) another one at 10.0.0.YY. The other group should have access to anything on 10.0.0.0, in addition to yet entire network that's in the 192.168.0.0 range. Right now, everyone can access all of it.



  • PPTP? I hope your usage of that comes with a somewhat more secure authentication method than that broken one Windows liked as default (and outside of that I think encryption on there was also using some dated algorithm?).


  • BINNED

    @NTAuthority said:

    PPTP? I hope your usage of that comes with a somewhat more secure authentication method than that broken one Windows liked as default (and outside of that I think encryption on there was also using some dated algorithm?).

    Connection settings on my Linux machine. If it sucks do tell me so I can change it. Again, this is not my domain, I'm only doing this shit because I'm, sadly, the most competent person around -.-



  • All these methods seem broken, which is why nobody seems to recommend PPTP anymore. Sadly, setting up IPSec and L2TP is an even bigger mess of broken old documentation and weird server software.

    Alternately, live with the fact that data is unencrypted. Also, as to 'limiting IPs', I'd somehow get some way to assign the users (based on some client ID? been a while since using anything VPN) a specific IP and then just go with normal iptables/netfilter rules.


  • BINNED

    @NTAuthority said:

    Also, as to 'limiting IPs', I'd somehow get some way to assign the users (based on some client ID? been a while since using anything VPN) a specific IP and then just go with normal iptables/netfilter rules.

    I seem to recall you could also use usernames in iptables. But that's local machine usernames AFAIK. So if that works and I find a way to bind VPN users to local users that would do it, I guess.



  • @Onyx said:

    I seem to recall you could also use usernames in iptables. But that's local machine usernames AFAIK. So if that works and I find a way to bind VPN users to local users that would do it, I guess.

    Nah, I'd doubt typical tunneling servers would be able to impersonate that easily.


Log in to reply