SOLVED: Restricting access to the network for contractors with OpenVPN Cloud

Next-generation cloud-hosted OpenVPN business solution.
Post Reply
CGB
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 06, 2022 2:08 pm

SOLVED: Restricting access to the network for contractors with OpenVPN Cloud

Post by CGB » Tue Dec 06, 2022 2:58 pm

Hello everyone

We are a small 3D-Animation studio and we are recently looking into a VPN solution, because we are working with freelancers from all over the world.

My question is: How to give these freelancers only access to a specific file server, and not the whole network.

Background:
Knowledge is only very rudiment on our side regarding these topics - that's why, after trying to use the open source, we settled for the paid cloud solution.

We are located in a co-working space - the whole network runs at 10.20.30.0/24
We have a file server (Ubuntu) which IP is: 10.20.30.110

What I did so far:
Reading a lot of tutorials, I found here: https://openvpn.net/cloud-docs-category ... -examples/

Created a "Network" in the admin UI of OpenVPN Cloud.
As "subnet" I inserted the 10.20.30.0/24 range and named it "HQ-network".
I followed the instruction and set up the connector on a server inside the office, which is actually the file-server running at 10.20.30.110

After this I created a user, installed the client on a laptop and tested the connection from outside the office by accessing the file server from a different location, which works.

Very happy that I finally am able to access the office resource from outside the office, I did further tests and pinged for example printers and workstations (running at e.g. 10.20.30.XYZ or 10.20.30.ZYX) - "sadly" that worked, too.

I understand, that I need to create different user groups, which I did --> "Freelancer" and "Studio".
I also think to understand, that I need to create a service under the "Destination Services" section of my "HQ-network".
Here I inserted the IP of the file server: 10.20.30.110/32 and named it TA_Freelancer

After that I went to "Access" --> "Groups" and for the Freelancer group I checked for Source:
Network: All
User Groups: Freelancers

And for Destination:
Networks: TA_Freelancer
User Groups: Freelancer

Long story short - I still can access everything when I assign myself the Freelancer group.

Question:
1. How can I set up the OpenVPN Cloud in a way, that the Freelancer group can only access the file server running at 10.20.30.110 (and the "Studio" group still everything)?

2. Going on from there: The service we are running, runs at a specific port (e.g. 1234) - can I restrict the access even more, so that freelancers can only access this specific port (So in the end: 10.20.30.110:1234)?

Any hint in the right direction is helpful!
I think I read nearly all the How-Tos I could find - and it could be, that I came across the solution, but my restricted understanding of this topic didn't realize it.

For example, this here (https://openvpn.net/community-resources ... -policies/) seems to go into the exact direction; but it seems to be for setups that use the self-hosted version and I don't know if this is the way to go, when using OpenVPN Cloud.

Thanks in advance!
Cheers
Felix
Last edited by CGB on Wed Dec 07, 2022 11:08 am, edited 1 time in total.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1118
Joined: Tue Feb 16, 2021 10:41 am

Re: Restricting access to the network for contractors with OpenVPN Cloud

Post by openvpn_inc » Tue Dec 06, 2022 8:30 pm

Hi Felix,

1. Under Access Groups > Freelancers, you would need to choose as 'Source' only the Group (unless you want HQ-network to initiate traffic to Freelancer users).. As for the 'Destination' selection, you would need to choose only the Destination Service created 'TA_Freelancer' instead of the whole network..

2. Protocol should be customized under this service to only allow 1234 port. Please see below steps:
a. Access Networks and click the network that you want to edit.
b. In the Destination Service sections, edit TA_Freelancer service
c. Edit protocol section > Custom > Choose either TCP or UDP protocol > Use 'Specific Ports' option > Type 1234 > Save

* For the Studio group, create a new Access Group with Source: Studio and Destination: HQ-network.
* Important to delete the default rule as it can cause problems.

Best Regards,
Sahara.
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

CGB
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 06, 2022 2:08 pm

Re: Restricting access to the network for contractors with OpenVPN Cloud

Post by CGB » Wed Dec 07, 2022 11:08 am

Hey Sahara

Thank you so much for your reply and step-by-step instructions!

It was really just a matter of checking the right boxes:
Checked all the correct things for the Access Groups as you suggested and everything is working.

Now freelancers can't use the printers in our rooms anymore :)


Thank you so much!
Cheers
Felix

Post Reply