Restrict Windows VPN Client Access by Source IP

  


A frequent question is how to limit access to a VPN/RRAS server to users connecting from a specific IP.


The following outlines using  RRAS  “Inbound Filters” on server 2003. Similar steps can be taken using Inbound filters with NPS on Server 2008 and newer.


Please note:


  • Using Inbound/Outbound Filters within RRAS should not be used in place of a proper firewall solution.

  • As soon as filter rules are enabled, all other traffic is blocked by default and filters need to be configured for each service both incoming and outgoing

  • You should have console access when editing RRAS features and filters as it is very easy to lock yourself out of remote access regardless of what service you are using, RDP, VPN, TeamViewer, LogMeIn, etc.
  • More granular control is possible with a proper perimeter VPN device/router

 


It is assumed the VPN has already been configured and working properly. As this stems from a previous specific question,  it addresses a single NIC RRAS configuration, however the same process is followed for 2 NIC RRAS servers. Should you need assistance with configuring the basic VPN within RRAS see:


http://www.lan-2-wan.com/vpns-RRAS-1nic.htm


 


To configure the Inbound and Outbound filters, open the RRAS console, expand the server name, expand “IP Routing”, click on “General”, in the right hand widow select the WAN/public network adapter, right click on it and choose properties.  Under the “General” tab click “Inbound  Filters”. The rules are very basic, there are only 3 required for the PPTP VPN; incoming PPTP and GRE and matching outgoing rules, or an ‘allow any’ outgoing rule. Keep in mind you need to create rules for any other service used such as DNS, HTTP, HTTPS, RDP, etc. Not doing so will result in failed services.


 



 


 


To create a new rule select “New” and complete the filter configurations as follows.


Starting with a default rule allowing all outgoing traffic so that specific rules do not need to be created for each service. The following allows all protocols ‘out’ from the local subnet 192.168.20.0. By not checking the “Destination network” check box it will default to “Any” destination or remote address.


 


 


 


 


Next you will need incoming rules for PPTP and GRE. The purpose of this article is to allow access from only one public IP by VPN clients, therefore in the example  below we have allowed access only from 123.123.123.123. The destination network is set to the entire local 192.168.20.0/24 network segment but could be limited to a particular server if you so desire. The protocol is TCP, and under the source/remote port ‘0’ is entered which defaults to any, and the destination port is 1723.


 



 


GRE is protocol 47, not port 47 so the configuration is a little different than other services and does not require a port number.


 



 


Once you have created your rules you need to check the box “Drop all packets except those that meet the criteria bellow” as in the screenshot below:


 



 


These rules will only allow VPN access from the 123.123.123.123 remote IP. In order for any client, internal or external, to use other services that require external access, or replies from external services, you will have to add rules for additional ports/services whether TCP, UDP, or both. Below is a chart showing the VPN access above and additional examples for HTTP , HTTPS, DNS (requires both TCP and sometimes UDP), and RDP connections. The “Source network” for these need to be set as “Any” to allow replies from any remote site.  Also carefully note the source and destination port configurations in the different example types.


 



 


Don’t for get to “Apply”/save your filters on exiting.


 

6 thoughts on “Restrict Windows VPN Client Access by Source IP”

  1. Hi Rob,
    Now there is a fundamental question: How can I find the external IP address of a RRAS client?
    With the help of Netstat -o -n command, I can see all the foreign addresses connected to different ports on the server 2008(443 for SSTP & 1723 for PPTP), but I’m missing a tool or a command to find out the foreign address of each RAS client. The netsh RAS show client command neither does not reveal this foreign address. So I appreciate any help in this regard.

    Thnx in advance.
    Kazem.

  2. Kazem you should be able to locate using:
    netstat -an |find “1723”

    This should return something like:
    TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
    TCP 192.168.20.201:1723 123.123.123.123:54321 ESTABLISHED

    Where 123.123.123.123 is the remote client’s public IP and 54321 is the random port used

  3. Hi again Rob,
    Thnx for your reply.
    The problem remains the same with this command. As I said I had used netstat and it’s capable of showing the connection between foreign address and the local address including the ports.
    Let me clear out my question:
    I have an RRAS client with the internal IP address of 192.168.10.23 (assigned statically by RRAS)
    This user has an external IP address which can be seen by netstat command. But if I have tens of such users, then netstat shows a bunch of external IP addresses paired with the accessed port on the server. How I can understand which of these external IP addresses belong to the internal IP address 192.168.10.23
    I’m missing a link between internal IP address of each RRAS client and its own external IP.
    I appreciate your time.
    Kazem.

  4. I am sorry Kazem, I misunderstood. I thought you just wanted a list of the remote public IP’s. I know of no way of creating a simple list of Internal and remote public IP’s. However perhaps I can steer you in the right direction.

    In the RRAS console you can enable logging under “Remote Access Logging” by right clicking on “Local File” in the right hand window and choosing properties. You will only need to enable “Accounting requests”. When a user then connects it will create and make an entry for the connection in the default log:  C:\windows\system32\LogFiles\IN1105.log. This entry is a very long string but it does contain the server IP, date and time, user name used for the connection,  the  server’s IP, the VPN client’s public IP, the VPN client’s internal/PPP IP, and even the remote computer name. However, it will be difficult to separate the appropriate information. The following is a single line for one connection. The sample is from a Server running VMWare (though the RRAS server is on the Host) so there is additional IP information that would not normally be present. In this sample:

     RRAS Server IP is: 192.168.20.201

     VMware virtual IP: 192.168.21.1

     RRAS server name VM-HOST

     Remote client’s internal/PPP IP:  192.168.20.187

     Remote client’s public IP:  24.222.123.123

     Remote client’s computer name COMPUTER1

     User name used for connection:  Administrator

    192.168.21.1,Administrator,05/09/2011,23:29:35,RAS,VM-HOST,4,192.168.21.1,6,2,7,1,5,131,61,5,64,1,65,1,31,24.222.123.123,66,24.222.123.123,25,311 1 192.168.20.201 03/26/2011 21:22:13 21,44,428,8,192.168.20.187,12,1400,50,41,51,1,55,1304884575,45,2,40,1,4108,192.168.21.1,4147,311,4148,MSRASV5.20,4160,MSRASV5.20,4159,MSRAS-0-COMPUTER1,4120,0x014C414E2D322D46414E,4294967206,4,4154,Use Windows authentication for all users,4136,4,4142,0

    As you can see a log full of these entries would be difficult to parse, but perhaps this will be of some help.

    I have tried opening the log file with Excel using the comma as the delimiter, and it works reasonably well.

    –Rob

  5. Hi again Rob,
    I have opened the log file with Excel and while browsing through the connection records, I fell on a strange subject. In the last field of each record, there is the version of the RAS server. When the server is MSRASV5.10 which is used for PPTP connections, the external IP is recorded. When the server is MSRASV5.20 which is for SSTP connections, then the external IP is not recorded!!!!
    Do you have any idea of how such a thing can be fixed.
    Regards.
    Kazem.

  6. Hi Kazem. I am sorry I am not familiar enough with SSTP to explain the difference. I currently do not have an SSTP VPN set up to compare. As to “MSRASV5.20″ I don’t believe that is related to PPTP/SSTP but rather MSRASV5.10 indicates an XP client and MSRASV5.20 Vista or Win7.

    –Rob

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>