This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - w/o local access

Hi All,

UTM 9.414-2 Home License.

I use SSL VPN to provide secure access to the home network and external browsing.  Some of my kids are away from home now and I want to continue to provide the SSL tunnel for them but don't want them to have access to the local network (Who knows where those devices have been...;) 

The SSL Access Profile provides for allowed networks, but not denied networks.  

So the question is, how do I setup a profile to allow access to "the world" but not my local network?

Am I missing something stupid simple here?

Thanks in advance.



This thread was automatically locked due to age.
  • My experience is that SSL VPN and standard proxy do not work well together, since they both manipulare SSL.  VPN will not be active with enough consistency to achieve your goals anyway.

    It sounds like what you really want is standard web proxy.  It could be on all the time.  It requires you to have a static ip or dyndns for home so their PCs can find your UTM, but apparently hou already do so.

    To keep the proxy from giving accesz to stuff inside your house, you need a firewall between your home network and UTM, to block all web ports from the outside.

    To limit acccess to just your kids, you will want to put SAA on their PCs as well as configuring standard proxy script or proxy settings.  Then create a filter profile for some set of internet IPs with SAA as the authentication type and all unuathenticated traffic blocked.  Use UTM local accounts for this purpose and ensure that the accounts can only do web proxy, so it will not matter much if the passwords are guessed by bad guys.  The risk of bad guys is why you need the inside firewall.

    Use a different filter profile and ip range for your home network web browsing, especially since you may not want authentication enforced on the home network.

    You may have difficulty anticupating all of the source IPs that will need to be allowed, since laptops float from campus to off campus housing to coffee shops to cell phone hotspots etc.  

    They may find the delay objectionable, especially if your ISP connection has asymmetrical speeds.  Try itand see.

  • I have not found an expllanafion if how SAA finds tj UTM, do I do not know for sure that it would work in this scenario,  what port it used, or whether this is a risk of credential disclosure.

    I do think that college kids will stream so much video and music that your configuration will have problems.   Your ISzp will object to the traffic volume, especially upstream .  The kids will probably find skips in tne video due to delays.  And all of this only works if the campus does not interfere with your connection

    For cell phones, I do like Sophos Moobile Security.  I use it on my cell phone instead of the one that came with my phone. Uou need to protect both phone and laptop.

  • Thank you both for the response.

    I've got a nice symmetrical 100Mb/s pipe and plenty of horsepower on the UTM machine (quad core 8G, 256MSSD, intel GigNics)  They would only use it for financial / sensitive type stuff; they know better than to try and stream music or movies through.  All that said, a simple solution does not appear to be in the mix.

    I've not experienced any issues with SSL VPN, but I'm using transparent proxy and only URL filtering. That mated with a PiHole and I'm in pretty good shape for a home network.

    It would be nice if there was a built in definition for Internet IP addresses or the simpler, NOT logic for a defined network.

    Maybe XG can do this?

     

     

  • You may be able to achieve your desoted result with user-network firewall rules to block nonweb traffic, and block rules within the filter action to exclude internal websites by both name and number.   Create a filter profile linked to their vpn ip pool, than link it to a user policy and the desired filter action.

    I am pretty sure that vpn user identity does not cross over to transparent proxy web identity, so tbey will have a double login before they can web surf through the tunnel, unless the filter profile specifies no authentication for the vpn ip pool address range.

    UTM is uncommonly good st hairpin turns, such as this propsal.  I cannot speak for XG other than to observe that XG users think UTM web filtering is superior.

  • Just some thoughts in addition to the above.  I like to use UDP 1443 instead of TCP 443 for the SSL VPN.  Not only does it avoid conflicts with any other part of the UTM, but it makes for a noticeably faster tunnel.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    SSL VPN Profiles are additive.  If user "pedulla" is in one that has "Internal (Network)" in 'Allowed Networks' and a Profile with only 'Internet', he will have access to both.  If "pedullajr" is in only the second Profile, he will only have access to the Internet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA