Force 100% of traffic through VPN

melidosian · August 28, 2023, 12:44pm

I am using the open-source free version. I want a VPN server where a user can connect to (1) access one of my other servers (lets call it 10.27.27.10), (2) connect to other devices also connected to the VPN (172.16.232.96/27 subnet), and (3) NOT have access to the internet (Somebody already recommended removing the DNS server in the settings, but you can still get out by using an IP address). I can get 1 and 2 working, but the devices also have access to the internet. I have tried removing the 0.0.0.0/0 route, and I have also tried configuring the server’s host firewall to block outbound connections to IPs other than the VPN subnet and the one service they should access. Unfortunately, it’s not working and the client still has access to WAN.

I want to know this: How can I force all traffic through the VPN (I don’t want the client to be able to communicate with other devices in their LAN) and also block outbound traffic to the internet? Do I keep the 0.0.0.0/0 route or get rid of it? Do I need to implement an outbound block with UFW on the server? Is this a limitation to the free version of Pritunl?

I appreciate any help you can provide.

zach · August 28, 2023, 11:56pm

The 0.0.0.0/0 route can be removed to disable internet traffic from being routed over the VPN. Once this is removed only the routes listed will be routed over the VPN.

hakwaf · August 29, 2023, 12:30am

[zach]
How can pritunl get the google verification code of a personal account through the API or in a directory to view the generated Google

hakwaf · August 29, 2023, 12:32am

[zach]
I want to use pritunl’s own verification, do a small program to use it can achieve reading each person pritunl’s respective account under the verification code how to get

melidosian · August 29, 2023, 7:36am

So if I want all traffic to be routed over the VPN I need to keep the 0.0.0.0/0 route. To block them from accessing the internet I would need to have a hosed-based firewall blocking it?

melidosian · August 29, 2023, 7:37am

Please create your own forum post for this question. Don’t hijack other’s posts.

zach · August 29, 2023, 9:37pm

The 0.0.0.0/0 route specifically routes all internet traffic, it should not be included if all traffic isn’t intended to be routed. Public IP addresses using the /32 subnet can still be added to the routes if the 0.0.0.0/0 route isn’t included.

melidosian · September 1, 2023, 8:31am

Okay, so I need to keep the 0.0.0.0/0 route. How can I block the connected user from accessing other devices on the LAN and the internet? Do I need to do that on the host firewall?

zach · September 4, 2023, 8:04pm

There’s no option to block traffic from a specific user. Users will have access to all the routes included in the server.