Hi,
I am using Pritunl (Enterprise Edition), running on an EC2 instance within a VPC, and everything is functioning well. However, I am facing challenges with blocking specific ports for VPN clients.
Use Case:
I want to restrict VPN-connected clients from accessing sensitive ports such as MSK (Kafka), Redis, or Postgres. For example, clients connected to the Pritunl VPN should not be able to access Redis (port 6379), even though they are authenticated.
What I Tried:
- I attempted to use UFW on the Pritunl EC2 instance.
- The EC2 instance itself was successfully restricted from accessing port 6379.
- However, the VPN clients connected via Pritunl could still access Redis.
- The
ufw status verbose
confirms thatDENY OUT
rules for port 6379 are applied to thetun0
interface (and all othertunX
interfaces).
- I suspect that iptables rules created by Pritunl might be overriding or taking precedence over the UFW rules.
- I noticed that Pritunl creates its own iptables rules for routing and managing VPN traffic.
Questions:
- Does Pritunl have an in-built feature to block specific ports or protocols for connected VPN clients?
- For example, is there a way to define VPN-specific firewall rules directly in the Pritunl server configuration?
- If not, is UFW the right approach for this use case, or should I be directly managing iptables rules instead?
- How do iptables rules created by Pritunl interact with UFW?
- Does Pritunl’s iptables configuration take precedence over UFW rules?
- If so, how can I ensure that the port-blocking rules apply to VPN client traffic as intended?
Additional Info:
- My Pritunl server has multiple tunnels (
tun0
,tun1
, etc.) as there are 4 VPN servers running on the same instance. - Default UFW policies are set to
deny (routed)
, and outgoing rules for port 6379 are explicitly applied to alltunX
interfaces and the VPC subnets (e.g.,192.168.x.x/24
).
Any guidance or insights into achieving this would be highly appreciated. If there’s a more effective way to block such traffic using Pritunl’s features or iptables, I’d love to know!
Thanks in advance!