SOLVED: Restricting access to the network for contractors with OpenVPN Cloud
Posted: Tue Dec 06, 2022 2:58 pm
Hello everyone
We are a small 3D-Animation studio and we are recently looking into a VPN solution, because we are working with freelancers from all over the world.
My question is: How to give these freelancers only access to a specific file server, and not the whole network.
Background:
Knowledge is only very rudiment on our side regarding these topics - that's why, after trying to use the open source, we settled for the paid cloud solution.
We are located in a co-working space - the whole network runs at 10.20.30.0/24
We have a file server (Ubuntu) which IP is: 10.20.30.110
What I did so far:
Reading a lot of tutorials, I found here: https://openvpn.net/cloud-docs-category ... -examples/
Created a "Network" in the admin UI of OpenVPN Cloud.
As "subnet" I inserted the 10.20.30.0/24 range and named it "HQ-network".
I followed the instruction and set up the connector on a server inside the office, which is actually the file-server running at 10.20.30.110
After this I created a user, installed the client on a laptop and tested the connection from outside the office by accessing the file server from a different location, which works.
Very happy that I finally am able to access the office resource from outside the office, I did further tests and pinged for example printers and workstations (running at e.g. 10.20.30.XYZ or 10.20.30.ZYX) - "sadly" that worked, too.
I understand, that I need to create different user groups, which I did --> "Freelancer" and "Studio".
I also think to understand, that I need to create a service under the "Destination Services" section of my "HQ-network".
Here I inserted the IP of the file server: 10.20.30.110/32 and named it TA_Freelancer
After that I went to "Access" --> "Groups" and for the Freelancer group I checked for Source:
Network: All
User Groups: Freelancers
And for Destination:
Networks: TA_Freelancer
User Groups: Freelancer
Long story short - I still can access everything when I assign myself the Freelancer group.
Question:
1. How can I set up the OpenVPN Cloud in a way, that the Freelancer group can only access the file server running at 10.20.30.110 (and the "Studio" group still everything)?
2. Going on from there: The service we are running, runs at a specific port (e.g. 1234) - can I restrict the access even more, so that freelancers can only access this specific port (So in the end: 10.20.30.110:1234)?
Any hint in the right direction is helpful!
I think I read nearly all the How-Tos I could find - and it could be, that I came across the solution, but my restricted understanding of this topic didn't realize it.
For example, this here (https://openvpn.net/community-resources ... -policies/) seems to go into the exact direction; but it seems to be for setups that use the self-hosted version and I don't know if this is the way to go, when using OpenVPN Cloud.
Thanks in advance!
Cheers
Felix
We are a small 3D-Animation studio and we are recently looking into a VPN solution, because we are working with freelancers from all over the world.
My question is: How to give these freelancers only access to a specific file server, and not the whole network.
Background:
Knowledge is only very rudiment on our side regarding these topics - that's why, after trying to use the open source, we settled for the paid cloud solution.
We are located in a co-working space - the whole network runs at 10.20.30.0/24
We have a file server (Ubuntu) which IP is: 10.20.30.110
What I did so far:
Reading a lot of tutorials, I found here: https://openvpn.net/cloud-docs-category ... -examples/
Created a "Network" in the admin UI of OpenVPN Cloud.
As "subnet" I inserted the 10.20.30.0/24 range and named it "HQ-network".
I followed the instruction and set up the connector on a server inside the office, which is actually the file-server running at 10.20.30.110
After this I created a user, installed the client on a laptop and tested the connection from outside the office by accessing the file server from a different location, which works.
Very happy that I finally am able to access the office resource from outside the office, I did further tests and pinged for example printers and workstations (running at e.g. 10.20.30.XYZ or 10.20.30.ZYX) - "sadly" that worked, too.
I understand, that I need to create different user groups, which I did --> "Freelancer" and "Studio".
I also think to understand, that I need to create a service under the "Destination Services" section of my "HQ-network".
Here I inserted the IP of the file server: 10.20.30.110/32 and named it TA_Freelancer
After that I went to "Access" --> "Groups" and for the Freelancer group I checked for Source:
Network: All
User Groups: Freelancers
And for Destination:
Networks: TA_Freelancer
User Groups: Freelancer
Long story short - I still can access everything when I assign myself the Freelancer group.
Question:
1. How can I set up the OpenVPN Cloud in a way, that the Freelancer group can only access the file server running at 10.20.30.110 (and the "Studio" group still everything)?
2. Going on from there: The service we are running, runs at a specific port (e.g. 1234) - can I restrict the access even more, so that freelancers can only access this specific port (So in the end: 10.20.30.110:1234)?
Any hint in the right direction is helpful!
I think I read nearly all the How-Tos I could find - and it could be, that I came across the solution, but my restricted understanding of this topic didn't realize it.
For example, this here (https://openvpn.net/community-resources ... -policies/) seems to go into the exact direction; but it seems to be for setups that use the self-hosted version and I don't know if this is the way to go, when using OpenVPN Cloud.
Thanks in advance!
Cheers
Felix