OpenVPN Support Forum

Hi, I've created a group and trying to limit their access to TCP port 3389 only. I've entered the network and service information in my "Access Control" section for the group, here is the output from ./sacli UserPropGet:

{
"RemoteDesktopOnly": {
"access_to.0": "+SUBNET:192.168.1.0/20:tcp/3389",
"c2s_dest_s": "false",
"c2s_dest_v": "false",
"group_declare": "true",
"prop_autologin": "false",
"prop_deny": "false",
"prop_superuser": "false",
"type": "group"
},
"user@domain.com": {
"conn_group": "RemoteDesktopOnly",
"type": "user_connect"
}
}

But group members are still able to access other services outside of TCP 3389. Not sure what I'm missing, any thoughts?

Hello smichelson,

There are some thought on this that I can share.

First of all, 192.168.1.0/20 is not canonical. You have to specify first IP in a range. That is not the first IP of the /20 range. The first IP in that range is 192.168.0.0/20 and covers from 192.168.0.0 to 192.168.15.255. So that is wrong and should be adjusted. If you meant to only specify 192.168.1.0 to 192.168.1.255 then use 192.168.1.0/24. You can use a subnet calculator or cheat sheet or something to find valid ranges.

Another thing is that if you have VPN Settings > Routing > Allow access to these private subnets configured to allow access to some ranges, then everyone will have access to those ranges. That means all users and all groups will have access to the ranges defined there in the VPN Settings page.

And finally I think using 192.168.1.0 is terrible as it probably already exists almost in every network, so you will get subnet collisions most likely. But this is a fairly common issue.