Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 2
Registered: ‎10-20-2016

Limit access to L2TP + IPSEC VPN

Greetings!

 

 

1. I have followed the guide on setting up L2TP + IPSEC VPN on the edgerouter, it works great. The only problem is I would like to limit the VPN to only one network PC.

For example, I connect to my home network with the VPN, but I do not want to have my entire network available but only 1 server. How would one go about achieving this?

 

2. Also, would it be possible to setup another user with access to different resources? For example, user1 that connects can only access PC1 on the lan, user2 that connects can only access PC2 on the lan, etc. If so, how would you go about doing so?

 

Thanks!

Emerging Member
Posts: 55
Registered: ‎10-12-2016
Kudos: 14
Solutions: 8

Re: Limit access to L2TP + IPSEC VPN

@sbenitah,

I'm also new here, and just got my ERX configured as an L2TP server.

I have the same question as you do, and I think I know half the answer.

 

To restrict different access to different remote users, you can assign each remote user a static IP so they can be uniquely identified.  The normal way to set up the L2TP service is to assign a block of client IP addresses (client-ip-pool start and client-ip-pool stop).

The VPN server software ('strongswan')  automatically assigns one of the addresses in the pool when a remote client establishes a connection (sort of like DHCP).

 

However, I've discovered that you can assign a static IP to each remote user. You'll find that option buried way down in the Config Tree (under l2tp/remote-access/authentication/local-users/username/sbenitah).

As an example, you'd assign one address (10.10.1.100) to user Hillary, and another one (10.10.1.101) to user Donald.  So when Hilary logs in to the VPN, her device will be assigned the .100 address). 

 

I don't think the static addresses should be within the pool that you defined for the remote-access, but I'm not sure about that.

 

The other half of the answer is to then create appropriate firewall rules to only permit Hillary (10.10.1.100) to access PC1 (which might be at 192.168.1.10), while Donald (10.10.1.101) can only access PC2 (which might be at 192.168.1.20).  I haven't figured out how to do that yet.

 

Caveat - I'm brand new to the Edge Router, so I may be way off base...

 

New Member
Posts: 2
Registered: ‎10-20-2016

Re: Limit access to L2TP + IPSEC VPN

Interesting, I'll play around with that. I've also opened a ticket, I'll post here when it gets updated.

Reply