Scenario: We have multiple (200+) employees scattered around the world divided into groups based on the work they need to perform. They all currently connect to a central Pritunl VPN server that is housed in a datacenter behind a Sonicwall firewall, with a single CFS policy in place. They connect to this server for a few reasons, generally accessing internal tools that are not publicly accessible, and for some to obtain a US based IP for some geo-restricted sites.
What we need or would like to do, is have a dedicated CSF policy for each of the groups based on what they need to access. Example: The majority of employees do not need to access social media sites, but a small group does, so we had to allow these sites for everyone. We have the need to probably 4-5 unique CFS policies to cover our basis. Without having to spin up 4 dedicated hosts on different subnets, what are our options? Ideally, I would love to have an option to create a custom CFS policy withing the Pritunl host, and attach it to specific VPN ‘servers’ residing on the same host without needing to spin up multiple hosts…if that makes sense.
Route access can only be controlled on each server. Multiple servers need to be created with different sets of routes and users organizations can be attached to the server with the correct access. Multiple servers can be run on one host, there is no need to use additional hosts.
Not route access, we need to restrict access to certain websites (X, YouTube, etc) for some users, but allow it for others. The content filter of our sonicwall does this, but to have different sets of content filters in the sonicwall, the HOST needs to present the firewall with an IP address in a different subnet. Example: Host A has a private IP of 10.0.2.20. The firewall has a content filter for that specific IP/subnet/VLAN. Host B has a private of 10.0.5.33, and the sonicwall can then have a content filter for that host. That I can see, this is the only way to accomplish this, since the host presents the firewall with the same private IP to the firewall, regardless of which server the employee connects to, assuming you have multiple servers running on a single host.
There’s no option for that type of filtering in Pritunl. Configure a non-NAT routing configuration, there is AWS route advertisement and Oracle Cloud route advertisement these will automatically configure the VPC routing tables. For other configuration static routes need to be created. If route advertisement is used failover will work, without route advertisement failover would require manually updating the static routes. Replicated servers will work without or without route advertisement.
This will still work with 0.0.0.0/0 routed just disable NAT on all the routes in the Pritunl server and enable route advertisement for the routes labeled Virtual Network or static route these subnets to the Pritunl host IP on the router. If there are multiple hosts the static route can point to any of the hosts as long as the replication count matches the host count.
This will route the VPN virtual networks onto the local network. If there is already SonicWall Firewall this will then be able to have policies based on the source virtual VPN subnet.