Skip to main content

Tutorial: Block Traffic Between VPN Clients

Abstract

Control access between VPN clients connected to your server with Access Server's access controls.

Overview

Access Server includes a setting that allows you to block traffic between connected VPN clients globally. When this option is enabled, VPN clients can still access network resources you've granted, such as internal servers or services, but they can't directly communicate with each other.

This is useful for isolating users and reducing the risk of lateral movement within your VPN.

Tip

Administrators and designated users can be granted exceptions to this restriction. This tutorial explains how to configure those overrides.

Prerequisites

  • An installed Access Server.

  • Configured user accounts.

Option 1: Turn off inter-client communication

  1. Sign in to the Admin Web UI.

  2. Click Access Controls.

  3. Click the InterClient Communication tab.

  4. Set Global InterClient Communication to Isolate all users.

  5. Click Save and Restart.

Option 2: Allow administrator accounts to access VPN users

  1. Sign in to the Admin Web UI.

  2. Click Access Controls.

  3. Click the InterClient Communication tab.

  4. Set Global InterClient Communication to Admins can access all users.

  5. Click Save and Restart.

Option 3: Allow a specific user to receive traffic from other VPN clients

  1. Sign in to the Admin Web UI.

  2. Click Users.

  3. On the User Settings page, scroll down to the Networking section.

  4. Check the box for Allow access from all other VPN clients.

    Tip

    When enabled, this user can receive traffic from other connected VPN clients, overriding the global client isolation setting if it's in place.

  5. Click Save and Restart.

    • The user is now configured to receive traffic from other VPN clients, even if global client isolation is enabled.

In this section: