Restrict local network access

Discussion room for Synology VPN package in DSM 3.1-1725 or above.
Forum rules
This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu

Restrict local network access

Postby IsmaelZ » Thu Apr 11, 2013 7:55 pm

Good evening,

I just recently bought and set up my DS112j and everything has been working perfectly. I set up the VPN server and managed to connect to it. One security issue I noticed is that whilst connected to the Synology VPN, the remote user can browse local network locations such as 192.168.0.1 (router) as well as the other access points, PCs, dreambox, etc.

I want to make it so that any connections to the VPN server are only granted INTERNET access, not LOCAL access. Is this at all possible?

Thank you for the help!
IsmaelZ
I'm New!
I'm New!
 
Posts: 6
Joined: Mon Apr 08, 2013 12:53 am

Re: Restrict local network access

Postby IsmaelZ » Fri Apr 12, 2013 8:39 am

Just wanted to add that I'm using the PPTP VPN option with default settings. I tested the local network access by using my laptop on a 3g network and connecting to my Synology VPN. I'm a complete beginner when it comes to Linux and routing tables etc, so if you have any ideas please treat me as an idiot and give me the full guide :)

Much appreciated
IsmaelZ
I'm New!
I'm New!
 
Posts: 6
Joined: Mon Apr 08, 2013 12:53 am

Re: Restrict local network access

Postby pwhooftman » Fri Apr 12, 2013 8:56 am

IsmaelZ wrote:Good evening,

I just recently bought and set up my DS112j and everything has been working perfectly. I set up the VPN server and managed to connect to it. One security issue I noticed is that whilst connected to the Synology VPN, the remote user can browse local network locations such as 192.168.0.1 (router) as well as the other access points, PCs, dreambox, etc.

I want to make it so that any connections to the VPN server are only granted INTERNET access, not LOCAL access. Is this at all possible?

Thank you for the help!


Hi, well, thats the whole point of a VPN, so it's not a security issue but a feature. But you can easily overcome this problem by letting the VPN Server hand out IP address which are outside of your LANS range.

I.e. your LAN uses IP adresses 192.168.0.1-255 with subnet masks of 255.255.255.0, than hand out adresses in the 192.168.1.1-255 range. Or better still, a range way off like 10.0.0.1-255.
DS412+ with 3x2Tb WD Red, DS111
pwhooftman
Enlightened
Enlightened
 
Posts: 498
Joined: Tue Feb 12, 2013 7:53 pm

Re: Restrict local network access

Postby IsmaelZ » Fri Apr 12, 2013 9:05 am

pwhooftman wrote:
IsmaelZ wrote:Good evening,

I just recently bought and set up my DS112j and everything has been working perfectly. I set up the VPN server and managed to connect to it. One security issue I noticed is that whilst connected to the Synology VPN, the remote user can browse local network locations such as 192.168.0.1 (router) as well as the other access points, PCs, dreambox, etc.

I want to make it so that any connections to the VPN server are only granted INTERNET access, not LOCAL access. Is this at all possible?

Thank you for the help!


Hi, well, thats the whole point of a VPN, so it's not a security issue but a feature. But you can easily overcome this problem by letting the VPN Server hand out IP address which are outside of your LANS range.

I.e. your LAN uses IP adresses 192.168.0.1-255 with subnet masks of 255.255.255.0, than hand out adresses in the 192.168.1.1-255 range. Or better still, a range way off like 10.0.0.1-255.


Hi Pwhooftman,

Thank you for the reply. I understand this is a feature of VPN, but I am planning on giving a couple of friends access and I don't want them to see my local PCs and router menu etc - just for personal security's sake.

Anyway, regarding your suggestion: It seems like the PPTP server already hands out IPs in the 10.8.0.1/255 range (I changed a 0 to 8 just for testing purposes, otherwise it's all default), but when I connect to the VPN, all my 192.168.0.x addresses are perfectly reachable. Am I going about this the wrong way?

Image
IsmaelZ
I'm New!
I'm New!
 
Posts: 6
Joined: Mon Apr 08, 2013 12:53 am

Re: Restrict local network access

Postby IsmaelZ » Fri Apr 12, 2013 6:09 pm

Anyone? Please?
IsmaelZ
I'm New!
I'm New!
 
Posts: 6
Joined: Mon Apr 08, 2013 12:53 am

Re: Restrict local network access

Postby pwhooftman » Sat Apr 13, 2013 11:06 am

IsmaelZ wrote:
pwhooftman wrote:
IsmaelZ wrote:Good evening,

I just recently bought and set up my DS112j and everything has been working perfectly. I set up the VPN server and managed to connect to it. One security issue I noticed is that whilst connected to the Synology VPN, the remote user can browse local network locations such as 192.168.0.1 (router) as well as the other access points, PCs, dreambox, etc.

I want to make it so that any connections to the VPN server are only granted INTERNET access, not LOCAL access. Is this at all possible?

Thank you for the help!


Hi, well, thats the whole point of a VPN, so it's not a security issue but a feature. But you can easily overcome this problem by letting the VPN Server hand out IP address which are outside of your LANS range.

I.e. your LAN uses IP adresses 192.168.0.1-255 with subnet masks of 255.255.255.0, than hand out adresses in the 192.168.1.1-255 range. Or better still, a range way off like 10.0.0.1-255.


Hi Pwhooftman,

Thank you for the reply. I understand this is a feature of VPN, but I am planning on giving a couple of friends access and I don't want them to see my local PCs and router menu etc - just for personal security's sake.

Anyway, regarding your suggestion: It seems like the PPTP server already hands out IPs in the 10.8.0.1/255 range (I changed a 0 to 8 just for testing purposes, otherwise it's all default), but when I connect to the VPN, all my 192.168.0.x addresses are perfectly reachable. Am I going about this the wrong way?

Image


Hi, i'm sorry, my answer was incorrect. If the VPN server hands out addresses in another IP range, it will still create forwarding rules between the ip ranges so you can access computers in the other range.
DS412+ with 3x2Tb WD Red, DS111
pwhooftman
Enlightened
Enlightened
 
Posts: 498
Joined: Tue Feb 12, 2013 7:53 pm

Re: Restrict local network access

Postby chromodoris » Tue Feb 04, 2014 3:10 pm

Hi folks

Just curious, was this ever resolved? This is exactly what I'm trying to do also.

Thanks!
chromodoris
I'm New!
I'm New!
 
Posts: 4
Joined: Tue Feb 04, 2014 3:02 pm

Re: Restrict local network access

Postby kayster » Thu Feb 06, 2014 1:03 pm

Maybe you guys could offer some support for myself ? i also have the VPN server enabled with PPTP default settings ...
The issue i have is internet access for remote users, what happens when they try to connect is that they are met with the message "Tunnel Failed"
My related ports are open for this VPN and i can can connect within my LAN but internet access is still a no go.

Any advice would be much apprecieated.
kayster
Rookie
Rookie
 
Posts: 36
Joined: Mon Jan 06, 2014 7:14 pm

Re: Restrict local network access

Postby chromodoris » Fri Feb 07, 2014 2:08 pm

Hi Kayster

I don't use pptp but despite the error the connections are obviously working... for internet access, in your pptp client setup have you specified any DNS servers? That could be the cause.

On the other matter, I was talking to an engineer friend of mine today and he said I could consider creating a 'sink hole', i.e. creating a ficticious route. This would stop the user from getting anywhere internally but wouldn't affect internet access... I'll be looking into this.
chromodoris
I'm New!
I'm New!
 
Posts: 4
Joined: Tue Feb 04, 2014 3:02 pm

Re: Restrict local network access

Postby kayster » Fri Feb 07, 2014 4:03 pm

chromodoris >>>

yes, i have client setup pointing to the DNS server Host IP ?
kayster
Rookie
Rookie
 
Posts: 36
Joined: Mon Jan 06, 2014 7:14 pm

Re: Restrict local network access

Postby chromodoris » Fri Feb 07, 2014 6:44 pm

Don't know what client you're connecting, have you elected the option to send all traffic over VPN / fowarding routes set to 0.0.0.0/0
chromodoris
I'm New!
I'm New!
 
Posts: 4
Joined: Tue Feb 04, 2014 3:02 pm

Re: Restrict local network access

Postby kayster » Fri Feb 07, 2014 7:21 pm

the remote users are configuring their VPN connections on their windows desktops. I have tried forwarding the port to the static ip of the nas itslef and to my DNS server , as for elected the option to send all traffic over VPN / fowarding routes set to 0.0.0.0/0 ? not yet ? and you have got me there ? how do i enable this configuration ? is this achieved via the DSM or my BT HUB ? as it stands i have the VPN port forward to my DNS server and when connecting with android devices this works but the goal is for desktop users to achieve vpn connection.
kayster
Rookie
Rookie
 
Posts: 36
Joined: Mon Jan 06, 2014 7:14 pm

Re: Restrict local network access

Postby chromodoris » Fri Feb 07, 2014 8:23 pm

Ah, Windows, I don't believe that option is available in Windows (I assume that's because that's the default).

> I have tried forwarding the port to the static ip of the nas itslef and to my DNS server / as it stands i have the VPN port forward to my DNS server

Not sure if I understand you on this one. Your router port should only need to be forwarded to the NAS itself, the DNS server doesn't require any special port treatment on the router. You mention BT Hub, I assume that's your router and your ISP is BT? When you say you're entering the DNS info on your clients, are you entering the DNS server IP address(es) provided by BT, or do you run a DNS server yourself; or, you're entering the internal IP address if your router (e.g. 192.168.1.1)?

As for the DSM/ BT Hub question - ordinarily this should be done on your client (e.g. Mac/Android), but since it's not an option in Windows and your Android clients are working fine, it's clearly not the issue here!
chromodoris
I'm New!
I'm New!
 
Posts: 4
Joined: Tue Feb 04, 2014 3:02 pm

Re: Restrict local network access

Postby kayster » Fri Feb 07, 2014 10:12 pm

best to list the steps I have done here to try and give a better description of the current setup.
1> BT HUB v5 is a total nightmare, every port is locked as a bare minimum. I had no access to my hostname no port 53, 5000,5001 access at all. So manually forward these ports to the static IP of the Nas.
2>Hostname is linked to my external IP and all works fine now as do the above ports as before this was done there was no internet access for my users at all.
3>Router & ISP are both BT
4>When the clients are trying to connect they are entering the DNS Server IP (external BT address of hostname)
5>As before VPN port is now forward to the Static IP of the Nas.
kayster
Rookie
Rookie
 
Posts: 36
Joined: Mon Jan 06, 2014 7:14 pm

Re: Restrict local network access

Postby kayster » Sat Feb 08, 2014 3:26 pm

Problem resolved........

VPN connection now achieved over internet access,issues with the default gateway settings within the client vpn profile.....happy days.
kayster
Rookie
Rookie
 
Posts: 36
Joined: Mon Jan 06, 2014 7:14 pm

Next

Return to VPN Server

Who is online

Users browsing this forum: No registered users and 2 guests