Deny ACL?

Is there a place to add a deny ACL. I have a few employees that are out of the country that need all of their traffic routed through our vpn, however I need to prevent them from accessing specific internal networks. I could spin up a sperate Pritunl instance just for them to use and have the firewall control access. If there was a place to put a deny ACL then that would solve the issue I believe.


There is no option for this. There is a net gateway option in the route settings that will instruct the client to route the network through the default gateway but this is not enforced and the client will still be able to access the network by adjusting the routing table.

I was also requesting this here

Zach what is the reason behind the decision to not implement this?

There isn’t a lot of usage of on most cloud providers or corporate networks due to the bandwidth costs and performance limitations with a lot of concurrent connections. The feature wouldn’t be used by many users and these security features require a significant amount of testing to verify nothing unintended happens.

I was lucky to be a part of network team in several corporate and cloud environments and having a default route which is then filtered through proxies was our typical scenario. These deny acl’s are very typical for cisco anyconnect or openconnect VPNs.
With AWS cloud env where you don’t have a transit gateway setup, you have to deal with SNAT because of non-transitive VPC peerings and this makes writing ACL’s at destination end impossible.
Given the fact that pritunl creates iptables rules to only allow access to subnets advertised to clients, what is the significant challenge to add an extra statement denying specific destination?

Code has been added that will enforce the net gateway routes. This option will be relabeled to Block Route and Net Gateway. This will block the route on the server with iptables and instruct the client to route that subnet through the clients default gateway. This will be included in the next release.

Configure a VPN (such as Pritunl) to route specific employees’ traffic through the VPN tunnel. Ensure that these employees are assigned IP addresses from a specific range. Enforce firewall rules on your network to control access based on the source IP addresses of the employees. Here you can deny access to specific internal networks. Allow traffic from the VPN IP address range to the required resources on the internal network. Add rules to deny traffic from the VPN IP range to specific internal networks that you want to restrict. Well, if the VPN doesn’t work, buy proxies and setting things up yourself will be much more reliable. The order of the rules is crucial, so make sure that the deny rules are placed before the allow rules. The exact steps for configuring firewall rules depend on the specific firewall or router you are using on your network. Common devices include Cisco ASA, pfSense, iptables, etc.