[SOLVED] Block access to LAN from internal VPN

[rezafathi]

we have around 50 users in our network. I configured Kerio as VPN server for users to get Internet access and to split local network from internet. Our users connect to Kerio via L2TP VPN in order to access the internet. What I want is that whenever users connect to Kerio and get the 10.20.30.0/24 address , they do not have access to LAN network and they should disconnect from VPN to have access to LAN servers. I wrote a rule in Kerio which to block any requests from 10.20.30.0/24 ======> 192.168.100.0/24 , but when users connect via VPN they can also access LAN too. what should I do to restrict the access? Thank you.
Kerio VPN IP Range:10.20.30.0/24
LAN IP Range : 192.168.100.0/24

 

[bill001g]

This function is called split tunnel. In many cases it is a option you can turn on and off in the vpn client. No easy way to do this from the network side. You can of course do it on pc firewall but that just prevent accedental access not someone who is willing to change the firewall. This is also some risk in the vpn client if the end user can change the split tunnel options.

 

[rezafathi]

so what excatly should i do to restrict local users when using vpn to access local servers?

 

[kanewolf]

so what excatly should i do to restrict local users when using vpn to access local servers?

This is a VPN Client configuration. What VPN Client software are you using?

 

[bill001g]

Best option is if the vpn client has a function called split tunnel. This feature is designed to address exactly the problem you describe. Most vpn clients have it. All you do is turn the feature on if the vpn tunnel is up all traffic must go via the tunnel. It will in fact attempt to send the lan ip address over the vpn even though it will not actually do anything. This is called read the manual for your VPN solution.

You can not actually do it on consumer grade network equipment. Since it must be done on a switch it is not even a common feature for commercial equipment. The end device directly talks to other end devices so a hardware router or firewall can't filter it.


If you do not have the feature in the vpn the you must do it yourself but it is a pain when there are a lot of machines. You might be able to use the windows firewall but it will be hard to get it to be dynamic so if the tunnel is not running you allow lan access.
The details to do this yourself require a fairly strong understanding of the concept of subnet masks and that a more specific network will be chose over a more general one. I will not spend the time to explain this if you really have to use this method you an look this up.

So the way split tunnels is done on some clients. This is a general description you need to look the commands up

First put in a default router with a higher metric than the one on the lan pointing it to the gateway/interface of the vpn.

Next to do the split tunnel.
Assuming a /24 mask put in 2 more specific routes
so x.x.x.0/25 and x.x.x.128/25 with a gateway of the vpn
Now to make the vpn itself work you need to also put in host /32 router for the vpn server and point that to the router. You also need to put in a /32 router for the router itself.

This is very much a pain which is why most vpn clients have the feature and do this stuff behind the covers.

 

[rezafathi]

This is a VPN Client configuration. What VPN Client software are you using?

i am using windows .pbk file

 

[rezafathi]

Best option is if the vpn client has a function called split tunnel. This feature is designed to address exactly the problem you describe. Most vpn clients have it. All you do is turn the feature on if the vpn tunnel is up all traffic must go via the tunnel. It will in fact attempt to send the lan ip address over the vpn even though it will not actually do anything. This is called read the manual for your VPN solution.

You can not actually do it on consumer grade network equipment. Since it must be done on a switch it is not even a common feature for commercial equipment. The end device directly talks to other end devices so a hardware router or firewall can't filter it.


If you do not have the feature in the vpn the you must do it yourself but it is a pain when there are a lot of machines. You might be able to use the windows firewall but it will be hard to get it to be dynamic so if the tunnel is not running you allow lan access.
The details to do this yourself require a fairly strong understanding of the concept of subnet masks and that a more specific network will be chose over a more general one. I will not spend the time to explain this if you really have to use this method you an look this up.

So the way split tunnels is done on some clients. This is a general description you need to look the commands up

First put in a default router with a higher metric than the one on the lan pointing it to the gateway/interface of the vpn.

Next to do the split tunnel.
Assuming a /24 mask put in 2 more specific routes
so x.x.x.0/25 and x.x.x.128/25 with a gateway of the vpn
Now to make the vpn itself work you need to also put in host /32 router for the vpn server and point that to the router. You also need to put in a /32 router for the router itself.

This is very much a pain which is why most vpn clients have the feature and do this stuff behind the covers.

thank you. The reason to use internal vpn is sharing internet between users in our company. I want this to separate lan from internet. Is there any better solution to that?

 

[bill001g]

No simple ways again that is the reason for the feature in the vpn client. The function almost has to be done on the end client machine since only the machine itself knows if vpn tunnel is up.

 

[rezafathi]

No simple ways again that is the reason for the feature in the vpn client. The function almost has to be done on the end client machine since only the machine itself knows if vpn tunnel is up.

I mean is there another technology to separate lan from internet?