A frequent question is how to limit access to a VPN/RRAS server to users connecting from a specific IP.
The following outlines using RRAS “Inbound Filters” on server 2003. Similar steps can be taken using Inbound filters with NPS on Server 2008 and newer.
- Using Inbound/Outbound Filters within RRAS should not be used in place of a proper firewall solution.
- As soon as filter rules are enabled, all other traffic is blocked by default and filters need to be configured for each service both incoming and outgoing
- You should have console access when editing RRAS features and filters as it is very easy to lock yourself out of remote access regardless of what service you are using, RDP, VPN, TeamViewer, LogMeIn, etc.
- More granular control is possible with a proper perimeter VPN device/router
It is assumed the VPN has already been configured and working properly. As this stems from a previous specific question, it addresses a single NIC RRAS configuration, however the same process is followed for 2 NIC RRAS servers. Should you need assistance with configuring the basic VPN within RRAS see:
To configure the Inbound and Outbound filters, open the RRAS console, expand the server name, expand “IP Routing”, click on “General”, in the right hand widow select the WAN/public network adapter, right click on it and choose properties. Under the “General” tab click “Inbound Filters”. The rules are very basic, there are only 3 required for the PPTP VPN; incoming PPTP and GRE and matching outgoing rules, or an ‘allow any’ outgoing rule. Keep in mind you need to create rules for any other service used such as DNS, HTTP, HTTPS, RDP, etc. Not doing so will result in failed services.
To create a new rule select “New” and complete the filter configurations as follows.
Starting with a default rule allowing all outgoing traffic so that specific rules do not need to be created for each service. The following allows all protocols ‘out’ from the local subnet 192.168.20.0. By not checking the “Destination network” check box it will default to “Any” destination or remote address.
Next you will need incoming rules for PPTP and GRE. The purpose of this article is to allow access from only one public IP by VPN clients, therefore in the example below we have allowed access only from 126.96.36.199. The destination network is set to the entire local 192.168.20.0/24 network segment but could be limited to a particular server if you so desire. The protocol is TCP, and under the source/remote port ‘0’ is entered which defaults to any, and the destination port is 1723.
GRE is protocol 47, not port 47 so the configuration is a little different than other services and does not require a port number.
Once you have created your rules you need to check the box “Drop all packets except those that meet the criteria bellow” as in the screenshot below:
These rules will only allow VPN access from the 188.8.131.52 remote IP. In order for any client, internal or external, to use other services that require external access, or replies from external services, you will have to add rules for additional ports/services whether TCP, UDP, or both. Below is a chart showing the VPN access above and additional examples for HTTP , HTTPS, DNS (requires both TCP and sometimes UDP), and RDP connections. The “Source network” for these need to be set as “Any” to allow replies from any remote site. Also carefully note the source and destination port configurations in the different example types.
Don’t for get to “Apply”/save your filters on exiting.