User specific firewall rules

Hello,

currently we are using very fine grained access rules for each VPN user (or groups they belong to). This means that we are only allowing access to specific IP addresses often filtered by a whitelist of allowed ports.

As far as my research goes pritunl only operates at layer 3 allowing to forward traffic to certain networks without any ability to further strip down access for specific users.

Usually our users do not get access to the entire network but only for certain hosts and certain ports. How can this be achieved with pritunl? I read about using an external firewall but this does not help in my instance as the external firewall has no understanding of the underlying user but sees only some dynamically assigned ip address.

Am I missing something here?

Regards

Stephan

A non-NAT configuration can be used to route the users virtual IP addresses which can then be filtered. But there are no options for controlling access for each user. This should be done by creating multiple servers which can have different sets of routes and groups of users attached. One host can have 20+ servers running without any significant overhead.