11-15-2016 02:07 PM
1. I have followed the guide on setting up L2TP + IPSEC VPN on the edgerouter, it works great. The only problem is I would like to limit the VPN to only one network PC.
For example, I connect to my home network with the VPN, but I do not want to have my entire network available but only 1 server. How would one go about achieving this?
2. Also, would it be possible to setup another user with access to different resources? For example, user1 that connects can only access PC1 on the lan, user2 that connects can only access PC2 on the lan, etc. If so, how would you go about doing so?
11-15-2016 02:30 PM
I'm also new here, and just got my ERX configured as an L2TP server.
I have the same question as you do, and I think I know half the answer.
To restrict different access to different remote users, you can assign each remote user a static IP so they can be uniquely identified. The normal way to set up the L2TP service is to assign a block of client IP addresses (client-ip-pool start and client-ip-pool stop).
The VPN server software ('strongswan') automatically assigns one of the addresses in the pool when a remote client establishes a connection (sort of like DHCP).
However, I've discovered that you can assign a static IP to each remote user. You'll find that option buried way down in the Config Tree (under l2tp/remote-access/authentication/local-users/username/sbenitah).
As an example, you'd assign one address (10.10.1.100) to user Hillary, and another one (10.10.1.101) to user Donald. So when Hilary logs in to the VPN, her device will be assigned the .100 address).
I don't think the static addresses should be within the pool that you defined for the remote-access, but I'm not sure about that.
The other half of the answer is to then create appropriate firewall rules to only permit Hillary (10.10.1.100) to access PC1 (which might be at 192.168.1.10), while Donald (10.10.1.101) can only access PC2 (which might be at 192.168.1.20). I haven't figured out how to do that yet.
Caveat - I'm brand new to the Edge Router, so I may be way off base...