How to Block Specific Ports for VPN Clients in Pritunl Setup?

Hi,

I am using Pritunl (Enterprise Edition), running on an EC2 instance within a VPC, and everything is functioning well. However, I am facing challenges with blocking specific ports for VPN clients.

Use Case:

I want to restrict VPN-connected clients from accessing sensitive ports such as MSK (Kafka), Redis, or Postgres. For example, clients connected to the Pritunl VPN should not be able to access Redis (port 6379), even though they are authenticated.

What I Tried:

  1. I attempted to use UFW on the Pritunl EC2 instance.
  • The EC2 instance itself was successfully restricted from accessing port 6379.
  • However, the VPN clients connected via Pritunl could still access Redis.
  • The ufw status verbose confirms that DENY OUT rules for port 6379 are applied to the tun0 interface (and all other tunX interfaces).
  1. I suspect that iptables rules created by Pritunl might be overriding or taking precedence over the UFW rules.
  • I noticed that Pritunl creates its own iptables rules for routing and managing VPN traffic.

Questions:

  1. Does Pritunl have an in-built feature to block specific ports or protocols for connected VPN clients?
  • For example, is there a way to define VPN-specific firewall rules directly in the Pritunl server configuration?
  1. If not, is UFW the right approach for this use case, or should I be directly managing iptables rules instead?
  2. How do iptables rules created by Pritunl interact with UFW?
  • Does Pritunl’s iptables configuration take precedence over UFW rules?
  • If so, how can I ensure that the port-blocking rules apply to VPN client traffic as intended?

Additional Info:

  • My Pritunl server has multiple tunnels (tun0, tun1, etc.) as there are 4 VPN servers running on the same instance.
  • Default UFW policies are set to deny (routed), and outgoing rules for port 6379 are explicitly applied to all tunX interfaces and the VPC subnets (e.g., 192.168.x.x/24).

Any guidance or insights into achieving this would be highly appreciated. If there’s a more effective way to block such traffic using Pritunl’s features or iptables, I’d love to know!

Thanks in advance!

There’s no option to block ports, this should be done with firewall rules external to the instance. Enabling UFW could interfere with the Pritunl iptables configuration, EC2 security groups should be used instead.

Thanks zach.

Currently I am able to achieve this by altering the iptable rules.
The command iptables -I FORWARD 1 -i tun+ -p tcp --dport <port_number> -j DROP does the job for my specific use-case.