Setting up IP Whitelisting with Split Tunneling for SaaS using OpenVPN Access Server


Setting up IP Whitelisting with SaaS environments is a good way to increase the security around access to your business data in the cloud. As detailed in this use case, using OpenVPN Access Server provides you an easy way to define a single IP address for the SaaS environment to grant access, allowing users permissions to login when they’re connected through your VPN server. In addition, setting it up with split tunnel means you will not be using your VPN resources for your users’ other Internet browsing. Rather, their computer will still use its ISP for that traffic, and only traffic destined for the SaaS IP addresses will tunnel through OpenVPN Access Server.

If you work in different locations and need to set up access to applications that can be reached from a trusted and whitelisted IP address, the Access Server can provide you with a good solution. When traveling or connecting from various networks, your IP address changes, making whitelisting a trusted IP quite difficult. By setting up access through Access Server, you can whitelist the server’s IP address and connect to your application through that VPN server. To the application, it looks as though you’re always connecting through the same, trusted IP address.

For our example, we used our SaaS environment with Salesforce, which stores critical business data for customer relations. By setting up access through OpenVPN Access Server, we tightly secure our data.

This is how you can combine a modern cloud CRM platform with the industry-standard security of OpenVPN.

How to use IP whitelisting with SaaS and OpenVPN Access Server

1. Launch Access Server

Begin by setting up OpenVPN Access Server if you don’t already have one. You can easily launch a new image on AWS, Google Cloud, Oracle, Azure, or DO:

2. Ensure static IP address

Now that you have your Access Server up and running, make sure it has a public, static IP address. Depending on your cloud provider, this may be given (Digital Ocean assigns a static IP to your Droplet automatically), or you may need to take an additional step. For example, with AWS, you’ll need to allocate an Elastic IP address.

3. Configure access rules in Access Server

We want to achieve two objectives with the configuration:

  1. As this VPN is dedicated for SaaS security, we just want traffic destined to the specific SaaS application to traverse the VPN while all other internet traffic from users does not use the VPN.
  2. We want to use the VPN to set up a whitelist of source IP addresses at the SaaS from which logins are allowed. Therefore, we need to give access to the IP address(es) where the SaaS application can be reached using the NAT mechanism. That way, traffic from the VPN clients will appear to be coming from the Access Server’s public IP address.

The steps below outline how to set up Network Address Translation (NAT) through OpenVPN Access Server for VPN traffic. NAT is used in Internet gateway routers, but you can also configure it for your OpenVPN Access Server to set up the specified client access for your SaaS.

The purpose of using NAT is because it makes client traffic look like it’s coming from the Access Server’s public IP address to the internet destination of your SaaS. Thus, you can lock down access to a cloud system like Salesforce by whitelisting the public IP address of Access Server. The Access Server handles translating the responses it receives back to the OpenVPN client that made the request. This can also be called masquerading; Access Server masks the source IP address of the client’s traffic with its own IP address. When Salesforce sees it, it says, “okay” and grants access because the public IP address of Access Server is present in its whitelist.

Log in to the Admin Web UI for your OpenVPN Access Server and make the following configuration changes:

  1. Turn on NAT by going to Configuration > VPN Settings and click on Yes, using NAT in the ‘Routing’ section.
  2. Specify only the IP address or IP range for your SaaS account in the field, ‘Specify the private subnets to which all clients should be given access (one per line):’ For setting up Salesforce, you’ll use an IP range. (NOTE: On that link, Salesforce lists updates at the end of the page for added IP addresses. You’ll need to review it and make updates when needed.)
  3. Select No for Should client Internet traffic be routed through the VPN? This sets up a split-tunnel VPN as you only need to route end users’ SaaS traffic through Access Server, not their regular Internet browsing.
  4. Do not push DNS, as clients will only get routes defined by the NAT subnets. To do this, set Do not alter clients’ DNS server settings to Yes.
  5. Finally, click on Save Settings and Update Running Server.

4. Set up whitelist access for SaaS account

These steps will be particular for the SaaS account you need to protect access to. For our example, these are the steps we would follow to set up Salesforce access, so it only allows logins to a user with the IP address from our Access Server:

  1. Log in with an administrator account.
  2. Click on the Setup icon.
  3. Click on Users > Profiles.
  4. Click on the profiles used for access (for example, “End User”).
  5. Near the top of the profile administration page, click on Login IP Range(s).
  6. Click on New to define the IP address.
  7. Enter the public IP address of our Access Server in both the Start IP Address and End IP Address field. (This is the public IP address that your Access Server itself has.)
  8. Entered a description and clicked Save.
  9. Repeat this step for any other necessary profiles.

Now, when a user logs into our Salesforce domain that is not connected to the Access Server, they receive a message that they cannot connect: “Please check your username and password. If you still can’t log in, contact your Salesforce administrator.”

When a user that is connected to the Access Server logs in, their login succeeds, and they connect with our Salesforce domain. Salesforce “OKs” the IP address, no matter where the user connects from. All other traffic over the Internet by that user routes through the regular ISP (called split-tunneling).

When you set this up for your business, you’ll need to refer to documentation for your specific SaaS account, such as these steps outlined for Salesforce: Restrict Login IP Addresses in the Original Profile User Interface. By setting up access this way, a user logging in from any other IP address will be denied. This enhances the security of access to your SaaS, further protecting your business data.

Enhancing SaaS security through IP Whitelisting

One of the biggest concerns for cybersecurity within your business is simply human error. By providing additional security layers without overcomplicating the user interaction can help mitigate some of the risks. One way to do this for your SaaS solutions is by setting up IP Whitelisting, as we’ve outlined in this use case.

Once set up, VPN clients can connect to and access your SaaS solution from anywhere, but do so securely. You don’t have to worry about a user who connects on a public WiFi account because the VPN connection is encrypted between their device and the Access Server. Using NAT gives you the ability to whitelist the Access Server’s IP address, allowing your users to connect from anywhere, as long as they are connected to your OpenVPN Access Server. NAT packets travel over the public Internet, masked with the IP address from the Access Server (also called masquerading), which handles the routing of those packets back to your device. For more information about using NAT with OpenVPN Access Server, read this: NAT, Bridging, and Routing: what are the differences.