How to best restrict what resources a VPN client can access (noob)?

[Collin]

Hello all

I'm a networking novice looking to setup a VPN that allows me to securely access my local NAS over the WAN. I already have this running using PPTP. The router acts as the VPN server. As it is now, this provides the VPN client (Windows & Linux laptops) unrestricted access to my entire LAN. I want to limit this so VPN clients have access to nothing but the NAS. What is the most robust/secure way to do this?

I'm thinking of creating two VLANs. Most of my LAN would run on VLAN1, but one RJ45 port on the router connected to the NAS would run on VLAN2. Looking at the OpenVPN configuration on my router, it looks like I could then switch from TUN to TAP and then bridge the OpenVPN server to VLAN2. I think that would achieve my goal



However:

• Is this considered best practice, or are there more secure/robust approaches?
• Is there a way to achieve something similar without having to connect an additional ethernet cable (likely meaning without requiring VLAN2)?
• It seems bridging in this way is only possible using OpenVPN. At least in my router's VPN configuration UI, that briding option doesn't exist for PPTP or L2TP/IPSec. How would VPN systems not based on OpenVPN solve this?

Hardware shouldn't be an issue here. This is purely a conceptual question. If implementing a good concept requires new hardware then I can do that. I'm more interested in what options I have, weighing benefits vs drawbacks, hearing what people consider to be best practice, and better understanding what issues I should be thinking about as potential problems.

Any pointers greatly appreciated!

 

[yorgi]

Hello all

I'm a networking novice looking to setup a VPN that allows me to securely access my local NAS over the WAN. I already have this running using PPTP. The router acts as the VPN server. As it is now, this provides the VPN client (Windows & Linux laptops) unrestricted access to my entire LAN. I want to limit this so VPN clients have access to nothing but the NAS. What is the most robust/secure way to do this?

I'm thinking of creating two VLANs. Most of my LAN would run on VLAN1, but one RJ45 port on the router connected to the NAS would run on VLAN2. Looking at the OpenVPN configuration on my router, it looks like I could then switch from TUN to TAP and then bridge the OpenVPN server to VLAN2. I think that would achieve my goal



However:

• Is this considered best practice, or are there more secure/robust approaches?
• Is there a way to achieve something similar without having to connect an additional ethernet cable (likely meaning without requiring VLAN2)?
• It seems bridging in this way is only possible using OpenVPN. At least in my router's VPN configuration UI, that briding option doesn't exist for PPTP or L2TP/IPSec. How would VPN systems not based on OpenVPN solve this?

Hardware shouldn't be an issue here. This is purely a conceptual question. If implementing a good concept requires new hardware then I can do that. I'm more interested in what options I have, weighing benefits vs drawbacks, hearing what people consider to be best practice, and better understanding what issues I should be thinking about as potential problems.

Any pointers greatly appreciated!

use this guide to enable a VPN server.
which is the best thing you can do for your needs
https://www.snbforums.com/threads/h...th-asus-routers-380-66-6-updated-07-05.33638/

 

[Collin]

Hey yorgi.

Thank you very much for the well written tutorial. I'm sure that will come in very handy. However, for the moment I'm not too concerned with hot to get OpenVPN setup and running. What I'm really looking for is a way to isolate some parts of the LAN so not all of it is accessible from the VPN endpoint. Not in terms of what buttons to press or configurations to make, but from a conceptual point of view. I hope I didn't, but if you mentioned something along those lines in your article then I missed it.

Any pointers on that topic (also for isolating LAN segments using PPTP or L2TP rather than OpenVPN)?

 

[Xentrk]

Hey yorgi.

Thank you very much for the well written tutorial. I'm sure that will come in very handy. However, for the moment I'm not too concerned with hot to get OpenVPN setup and running. What I'm really looking for is a way to isolate some parts of the LAN so not all of it is accessible from the VPN endpoint. Not in terms of what buttons to press or configurations to make, but from a conceptual point of view. I hope I didn't, but if you mentioned something along those lines in your article then I missed it.

Any pointers on that topic (also for isolating LAN segments using PPTP or L2TP rather than OpenVPN)?

This article may be of help to you:
https://www.smallnetbuilder.com/lan...an-how-to-segmenting-a-small-lan?limitstart=0

 

[Collin]

This article may be of help to you:
https://www.smallnetbuilder.com/lan...an-how-to-segmenting-a-small-lan?limitstart=0

Well that was just great. Thank you!

I think I now have a working understanding of VLAN concepts. What I still don't understand is how VPNs and VLANs fit together. They don't seem to be naturally compatible.

Say I have a L2TP/IPSec VPN server running on my edge router. How does that VPN server become VLAN aware? How do I restrict the IPSec VPN server to communicating only across a specific RJ45 port on the router (thereby being tagged) or to communicating exclusively across a specific VLAN? Is this something that an IPSec VPN server should support but my router firmware just doesn't, or is my whole approach, where I'm trying to limit a IPSec VPN to using only a specific LAN segment entirely wrong?

 

[sfx2000]

What I still don't understand is how VPNs and VLANs fit together. They don't seem to be naturally compatible.

They don't need to be - VLAN and VPN are on two different layers on the ISO stack of networking...

 

[Collin]

They don't need to be - VLAN and VPN are on two different layers on the ISO stack of networking...

Hmmm... I know I'm going to embarrass myself here (with no networking skills beyond what I've read), but let me try to explain:

Yes, remote access VPNs typically operate on L2. VLANs are a L3 construct. However, L2 switches still deal with VLAN tags on L2, so it seems VLAN operation and management spans both L2 and L3. At least that is my current understanding.

On a managed L2 switch I can assign a VLAN ID to each ethernet port. I currently understand a remote access VPN to basically be a virtual L2 switch that ties VPN clients into the LAN at L2. I therefore concluded I should have similar capabilities, i.e. also be able to specify the VLAN ID and/or the host's ethernet port which the VPN server should use.

I'm getting the feeling that this conclusion is wrong. I don't understand why. Can someone explain?

The impression I have now is that a VPN server will automatically gain access to all the VLANs its host has access to. So, if the intent is to isolate the VPN server from some VLANs, what I must actually isolate is the host. The implication is that I can't setup the VPN server anywhere in the network. If I were to setup the VPN server on my edge router, it would automatically gain access to every VLAN the router can access. This basically forces me to add a dedicated VPN host to my network infrastructure, because no other host that is capable of running a VPN server will be isolated in the same way.

Am I getting this right? I expect not, but looking forward to learning a lot by having you all shred it to pieces ;-)

 

[sfx2000]

VLAN's live in the ethernet layer of the stack... that's why in even a simple L2-Managed switch, we can define VLAN's without having any layer 3 management activity on it.

VPN's can live at that layer as well - for example with L2TP/IPSec, or they can encapsulate ethernet frames at the IP layer like OpenVPN - with OVPN, we push frames into the IP layer, mush them over the Public WAN, and on the other end, we take them back out.

As to your question about VPN and access to resources, not limited to VLAN's, this is routing, which is different than switching... VLAN's and VPN's - both can be routed, as the VPN will present an interface and a virtual MAC address - and through routing, we can make decisions regarding policy - what data goes where, and this is generally done at a generic description of access control.

There's lots of ways to do things - but generally in network design, it's best to keep things as simple as possible - introducing new elements on an as needed basis only if the need is justified.

 

[Collin]

As to your question about VPN and access to resources, not limited to VLAN's, this is routing, which is different than switching... VLAN's and VPN's - both can be routed, as the VPN will present an interface and a virtual MAC address - and through routing, we can make decisions regarding policy - what data goes where, and this is generally done at a generic description of access control.

Okay, routing, not switching! Thank you! I've done some googling and stumbled across concepts like access control lists and firewall rules, which appear more applicable to my problem than VLANs.

Given this:

VLAN1 local subnet 1 192.168.1.x/24
VLAN2 local subnet 2 192.168.42.x/24
VPN non-local subnet 172.168.1.x/24

VPN clients are dynamically assigned IP addresses from the non-local subnet's IP range. If I intend to restrict VPN client access to VLAN2, then I would setup rules that prevent routing between 172.168.1.x and 192.168.1.x but allow routing to 192.168.42.x. Correct?

Is the ability to define such routing rules the main reason why remote access VPN clients are typically manged in their own subnet, or is there some other more important reason behind that which I haven't yet understood?