Skip to main content

Tutorial: Block Traffic Between VPN Clients

Abstract

Control access between VPN clients connected to your server with Access Server's access controls.

Overview

Access Server includes a setting that allows you to block traffic between connected VPN clients globally. When this option is enabled, VPN clients can still access network resources you've granted, such as internal servers or services, but they can't directly communicate with each other.

This is useful for isolating users and reducing the risk of lateral movement within your VPN.

Tip

Administrators and designated users can be granted exceptions to this restriction. This tutorial explains how to configure those overrides.

Prerequisites

  • An installed Access Server.

  • Configured user accounts.

Step 1: Turn off inter-client communication

  1. Sign in to the Admin Web UI.

  2. Click Configuration > Advanced VPN.

  3. Under Inter-Client Communication, set Should clients be able to communicate with each other on the VPN IP Network? to No.

Step 2: Allow administrator accounts to access VPN users

  1. From the Advanced VPN page in step 1, under Inter-Client Communication, set Allow VPN users with Administrator privilege to access all VPN client IP addresses to Yes.

Step 3: Allow a specific user to receive traffic from other VPN clients

  1. Sign in to the Admin Web UI.

  2. Click User Management > User Permissions.

  3. Click More Settings for the desired user.

  4. Click the checkbox for Allow Access From all other VPN clients.

    Tip

    When enabled, this user can receive traffic from other connected VPN clients, overriding the global client isolation setting if it's in place.

    • The user is now configured to receive traffic from other VPN clients, even if global client isolation is enabled.

In this section: