Limiting incoming VPN client to the single local address bidirectionally

[Pila]

I need to let someone connect to my LAN, using OpenVPN and connect them to Virtual machine at 192.168.1.5:5555. This VPN connection must be bidirectionall as my local Virtual machine must print at their remote printer. They must be strictly limited to be able to access only that VM and nothing else!

I use VPNs on a daily basis. My routers are constantly running VPNserver1. All is well, bidirectional (client initiated -> server connections) also work fine.

This new user (say, ASD) must not interfere with my regular VPNs nor have any acess to any of my systems. I am lending a helping hand to someone who will be in great distress (literary: lives are at steak) if I can not provide this remote service for some time, until a better local solution can be safely made. I have few weeks time to make it work. Plan B is to give them additional PC which is extremely cumbersome fot them.

Here is my plan, I appreciate any feedback and help.

1. Create completely new set of certificates. At my router make a VPNServer2, changing its port to e.g. 1197 and VPN Subnet to e.g. 10.37.0.0. and allow Client <-> Client Push back to 192.168.3.7.

2. The remote WinXP PC will be 192.168.3.7, CN: ASD, and will be connecting using UltraVNC, having dynamic WAN IP

3. When they connect to VPNserver2, they must be allowed only to 192.168.1.5:5555 but the connection must remain bidirectional!

I do not know how to do point #3. Everything else should be under control.

Also, if my plan is fundamentally flawed, pls advise.

Irrelevant, but the router is Asuswrt-Merlin RT-AC68U_380.59_0. They are not available for me to test at my convenience, so deployment can not be done quickly.

 

[Zirescu]

Is the virtual machine running Windows as well? Any reason to not use a tool like TeamViewer?

 

[Pila]

Windows 7. TeamViewer would not allow me remote printing. It is usable, but they would have to print PDF localy within VM and move PDF over to them. Likely, too complicated for medicinal stuff.

 

[martinr]

This might be one where you'd be better off going to an OpenVPN forum eg

https://forums.openvpn.net/

for the specialist advice. However, if you do, and you get sorted, please post a link back here so we, and any future viewer, can see the outcome.

 

[Zirescu]

Windows 7. TeamViewer would not allow me remote printing. It is usable, but they would have to print PDF localy within VM and move PDF over to them. Likely, too complicated for medicinal stuff.

In TeamViewer 11 remote printing is available under the Advanced -> Advanced Network Settings.

 

[Zirescu]

If the Windows 7 PC is running Pro you could use Remote Desktop as that would also allow remote printing.

 

[ColinTaylor]

+1 for using Remote Desktop. But bear in mind (if you haven't already) that irrespective of any VPN setup, once they are connected to the VM they will have full access to any network resources that that machine has.

 

[Pila]

I will have to check Remote Desktop as I never used it. Providing it can work with WinXP.

Also, I will have to check TeemViewer Remote printing, but still I do not like how many things one can press in it. As I said - medicinal stuff, not technical people.

@ColinTaylor - yes, VirtualWin7 will be restricted to only one folder on the server.

 

[Pila]

But again, if I do open a VPN connection, I still need to limit its reach so it can go nowhere if someone fires up another app and enters my end of VPN. So, I am back to my original quesiton.

 

[ColinTaylor]

Check out martinr's reply in post #4.

 

[Pila]

Check out martinr's reply in post #4.

I will, but I expected someone here to know what I expect to be 1 or 2 lines of routing needed. Route server2 to addresX