Edgerouter VPN allowing access to only one computer

[tek9]

Hi all.
I need help figuring this out, hoping you guys can help.
I have a client, a small accountant office of 2 people. They have 2 or three computers in use at one time, and those are used for multiple QB files/versions and the typical file sharing. Their file shares are currently housed on a Synology box. They also have a new computer acting as a "server" for a piece of investment software called FundCount. It's actually a Windows 10 Pro machine running that database program, and they login to the software via web browser by the server's IP address and a custom port number 9333.
I've set them up with an Edgerouter X and an IPsec L2TP VPN to enable them to access the program from outside the office.
Now they're hiring an outside consultant and they would like for him to have access only to the FundCount program buy not to their QB files or file shares. I'm not sure how to proceed here. Is there a way to setup the VPN so that it only gives access to port 9333, or am I supposed to set the permissions on the server side? Once he gets in via the VPN, he's technically on the local network and can see their file shares. Since they're using multiple versions of QB, and QB recommends Everyone access for their files, would there be a way to prevent the consultant access to those by an explicit deny rule? Not sure if that's what I want.
I'm pretty sure I'm missing something simple here and I'm looking at the wrong side of this. Need someone to point me in the right direction.
Thanks so much.

 

[TurricanII]

Maybe look for a DMZ function in the router. Typically this involves creating a distinct subnet for one of the spare ports on the router and plugging the Win 10 Pro web server into that. You can then set up rules to allow the VPN user into the DMZ zone/subnet only. They should then not be able to see LAN storage/PC's. You should also be able to set up rules to allow the 'LAN' users on to the DMZ web server too.

 

[VISA MC]

Do the normal users use the VPN as well?

i would think a couple firewall rules would handle this. Source VPN destination the IP of the “server” machine and the port number. I don’t believe you can set firewall rules by VPN user.

unfortunately I don’t have an edge router around to play with, we have replaced all of ours with USG’s.

 

[Markverhyden]

Personally I'd look at moving that function to an Azure, etc instance

 

[Moltuae]

Once he gets in via the VPN, he's technically on the local network and can see their file shares.

You're looking at this the wrong way around IMO. If the network shares can be accessed by anyone (or any 'thing') that has access to the network, then that needs to be fixed. Even if every employee is privy to every bit of shared information, the data could be compromised by anyone or anything that gains access to the network, which also makes it vulnerable to malware/ransomware attacks. In a domain environment, user/group-restricted access to network resources is generally the default modus operandi, so I'm guessing this is a non-domain environment, in which folders are shared with 'everyone' (like this). In which case I would start by creating special user accounts on each of the computers/servers that share data and I would restrict access to only the those users (by removing 'everyone'), even if every computer/user in the office requires access to that data.

I find a hierarchical nomenclature works best for share permission names, such as Staff -> Office -> Management -> Accounts -> Directors. So, for example, you might grant 'Directors' access to everything by adding the Directors user account permissions to every shared folder, while restricting staff further down the hierarchy by adding those accounts to the relevant folder's permissions only. Once the share permissions are set, to grant a user access to the network shares you only need to add the relevant account credentials to their Window's Credential Manager (which can easily be scripted to save time).

 

[tek9]

Maybe look for a DMZ function in the router. Typically this involves creating a distinct subnet for one of the spare ports on the router and plugging the Win 10 Pro web server into that. You can then set up rules to allow the VPN user into the DMZ zone/subnet only. They should then not be able to see LAN storage/PC's. You should also be able to set up rules to allow the 'LAN' users on to the DMZ web server too.

I was thinking of doing that, but we were hoping to set this computer as their QB server and file server as well replacing the Synology. If we do that would the fact that it's in a DMZ be a problem? Knowing QB, it probably will...

 

[tek9]

Do the normal users use the VPN as well?

i would think a couple firewall rules would handle this. Source VPN destination the IP of the “server” machine and the port number. I don’t believe you can set firewall rules by VPN user.

unfortunately I don’t have an edge router around to play with, we have replaced all of ours with USG’s.

The in-house staff also use the VPN so this won't really work. That's why I was hoping there's a per-user solution.

 

[tek9]

You're looking at this the wrong way around IMO. If the network shares can be accessed by anyone (or any 'thing') that has access to the network, then that needs to be fixed. Even if every employee is privy to every bit of shared information, the data could be compromised by anyone or anything that gains access to the network, which also makes it vulnerable to malware/ransomware attacks. In a domain environment, user/group-restricted access to network resources is generally the default modus operandi, so I'm guessing this is a non-domain environment, in which folders are shared with 'everyone' (like this). In which case I would start by creating special user accounts on each of the computers/servers that share data and I would restrict access to only the those users (by removing 'everyone'), even if every computer/user in the office requires access to that data.

I find a hierarchical nomenclature works best for share permission names, such as Staff -> Office -> Management -> Accounts -> Directors. So, for example, you might grant 'Directors' access to everything by adding the Directors user account permissions to every shared folder, while restricting staff further down the hierarchy by adding those accounts to the relevant folder's permissions only. Once the share permissions are set, to grant a user access to the network shares you only need to add the relevant account credentials to their Window's Credential Manager (which can easily be scripted to save time).

There are only 2 users there, no domain or server. The 2 on site people are allowed to see everything so setting up all these permissions is a waste of time. Quickbooks by default seems to set Everyone permissions when it installs or when troubleshooting with their tools, and I'm loathe to change that in case it'll break Quickbooks, which they use most often.

 

[Markverhyden]

Whose responsible for this W10 Pro machine? Was it provided by the software vendor?

I just took a look at my VPN setup, UniFi. About the only thing you can do is create firewall rules, the VPN functions don't have that granularity. With the firewall rules you do have source and destination IP's but that will require the remote users to have a fixed IP or setup DDNS. And speaking of fixed IP does the office have one?

If it was me I'd just tell them that they need to get a real server OS. Given the situation the bare minimum, hardware wise, would be fine with Essentials. This type of situations is exactly why Essentials exists. And you can use the Synology as a backup device.

 

[VISA MC]

Whose responsible for this W10 Pro machine? Was it provided by the software vendor?

I just took a look at my VPN setup, UniFi. About the only thing you can do is create firewall rules, the VPN functions don't have that granularity. With the firewall rules you do have source and destination IP's but that will require the remote users to have a fixed IP or setup DDNS. And speaking of fixed IP does the office have one?

If it was me I'd just tell them that they need to get a real server OS. Given the situation the bare minimum, hardware wise, would be fine with Essentials. This type of situations is exactly why Essentials exists. And you can use the Synology as a backup device.

Mark
If I remember right, you can assign a LAN IP specific to the VPN user.

For example, when Staff User 1 connects they get 10.10.10.50 and when Staff User 2 connects, they get 10.10.10.51. Consultant User gets 10.10.10.52.

then you could set a firewall rule limiting 10.10.10.52 to only the port the software needs.

kind of a pain but theoretically should work.

 

[tek9]

When I was setting up the VPN on the Edgerouter, part of the setup process was to create a IP Pool for the remote access users, and they get assigned an address from that pool on a first come first serve basis. I don't think there's a way to statically assign a user a certain IP address. If you are aware of this, can you post a link or instructions? Thanks.

 

[VISA MC]

Under the config tree where you add the user, there is a spot for the static IP address.

 

[tek9]

Under the config tree where you add the user, there is a spot for the static IP address.

I didn't know that. I had setup the VPN using the cli. I'll take a look and see if I can work with that. Thanks.

 

[VISA MC]

I didn't know that. I had setup the VPN using the cli. I'll take a look and see if I can work with that. Thanks.

Let us know if that works. I’ve never used it for this purpose before.

 

[Markverhyden]

Under the config tree where you add the user, there is a spot for the static IP address.

Never used that function but by definition traditional VPN clients get an IP that is not part of the LAN IP scheme. So wouldn't you need a route to the destination?

Edit: I'll look into this on one of my clients.

 

[Sky-Knight]

Nope, thanks to the magic of proxy-ARP.

I don't care for LAN ranges being shared to VPN because the way it all works makes my head hurt. But, again proxy-ARP!

 

[Markverhyden]

Nope, thanks to the magic of proxy-ARP.

I don't care for LAN ranges being shared to VPN because the way it all works makes my head hurt. But, again proxy-ARP!

I was being a bit slow. What I was really referring to is the customer's desire to keep the remote user only accessing that one product via the local web server.