Is there a place to add a deny ACL. I have a few employees that are out of the country that need all of their traffic routed through our vpn, however I need to prevent them from accessing specific internal networks. I could spin up a sperate Pritunl instance just for them to use and have the firewall control access. If there was a place to put a deny ACL then that would solve the issue I believe.
There is no option for this. There is a net gateway option in the route settings that will instruct the client to route the network through the default gateway but this is not enforced and the client will still be able to access the network by adjusting the routing table.
There isn’t a lot of usage of 0.0.0.0/0 on most cloud providers or corporate networks due to the bandwidth costs and performance limitations with a lot of concurrent connections. The feature wouldn’t be used by many users and these security features require a significant amount of testing to verify nothing unintended happens.
I was lucky to be a part of network team in several corporate and cloud environments and having a default route which is then filtered through proxies was our typical scenario. These deny acl’s are very typical for cisco anyconnect or openconnect VPNs.
With AWS cloud env where you don’t have a transit gateway setup, you have to deal with SNAT because of non-transitive VPC peerings and this makes writing ACL’s at destination end impossible.
Given the fact that pritunl creates iptables rules to only allow access to subnets advertised to clients, what is the significant challenge to add an extra statement denying specific destination?
Code has been added that will enforce the net gateway routes. This option will be relabeled to Block Route and Net Gateway. This will block the route on the server with iptables and instruct the client to route that subnet through the clients default gateway. This will be included in the next release.