How to block client-to-client traffic on the same VPN server (Virtual Network)?

Pritunl Pritunl VPN
,
1

Hello,

I am running into a security concern related to client-to-client communication on a Pritunl VPN server and would appreciate guidance on the correct or recommended approach.

Scenario:

  • Office machines are connected to a Pritunl VPN server.

  • A user connects to the same VPN server from home.

  • Because both clients are on the same Virtual Network, the home client can directly access office machines via their VPN IP addresses.

  • This behavior violates our internal security policy, as VPN users should only access internal services, not other client endpoints.

Current understanding:

  • This seems to be caused by routing within the Virtual Network (client-to-client traffic being allowed).

  • Disabling Multiple Devices partially mitigates this, but it is not ideal, as the feature is still useful for other legitimate cases.

Questions:

  1. Is there an official or recommended way in Pritunl to block client-to-client traffic on the same VPN server?

  2. Can this be enforced via:

    • Firewall rules

    • Server settings

    • Organization settings

    • Or any undocumented / advanced configuration?

  3. Is there a way to allow access only to specific internal subnets while explicitly preventing traffic between VPN clients?

2

Hi,

You can disable connections between clients by turning off the “Inter-Client Routing” option in the VPN server settings. I would also recommend enabling “Restrict Routing” for better isolation.

You simply need to add the specific networks you want clients to access under the server’s Routes tab. Routes | Pritunl VPN | Pritunl Documentation

I highly recommend avoiding the default route 0.0.0.0/0 if the VPN is used strictly for private network access - especially if your Pritunl instance is hosted in the cloud.

3

There isn’t any option to disable client-to-client routing. It is difficult to do without breaking other functionality. The Inter-Client Routing option is specifically for disabling the client routes created for replicated servers. This allows client traffic to move between hosts running a replicated server.

1 Like
4

Understood. In that scenario, another workaround would be to enforce firewall rules on the client side.