USG FLEX 500H SSL VPN How How to set up two user groups for split and full tunnel?

Options
ITC_Sercop
ITC_Sercop Posts: 4  Freshman Member
First Comment Friend Collector
in Security

Hy,

we need to create two user groups for SSL VPN (OpenVPN Client), one using split tunnel and one using full tunnel, but the GUI doesn't seem to allow it.

On the old USG firewall we could do it instead.

Do you have some tips?

Thank you.

Accepted Solution

  • PeterUK
    PeterUK Posts: 3,893  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 17 Answer ✓

    Well there is a very easy way to do this but questionable as for security...

    So setup with Local Networks Only (Split Tunnel) and download the config then make a copy of the config to be used for Full Tunnel open that config in notepad edit under:

    verb 3


    with

    verb 3
    
redirect-gateway

    you may need a routing rule
    incoming any
    Source Address of the VPN pool 192.168.51.0/24
    next hop WAN

    To tighten up security you can add block rule form users who should not use the FLEX H as the gateway should anyone work out they can just add redirect-gateway to there config.

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,529  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @ITC_Sercop

    USG FLEX H(uOS) SSL VPN configuration is different from USG FLEX(ZLD). Could you share your scenario about why you need two different SSL VPN configuration for different users?

    Zyxel Melen


  • ITC_Sercop
    ITC_Sercop Posts: 4  Freshman Member
    First Comment Friend Collector

    Yes, of course.
    Some VPN users need to connect to internet servers, in addition to our lan, that check the sender's IP address so it must be our IP Company Address.
    Other VPN users should use internet, while they are VPN connected, but they must use their internet connection to do so.

    Thanks.

  • PeterUK
    PeterUK Posts: 3,893  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited July 17 Answer ✓

    Well there is a very easy way to do this but questionable as for security...

    So setup with Local Networks Only (Split Tunnel) and download the config then make a copy of the config to be used for Full Tunnel open that config in notepad edit under:

    verb 3


    with

    verb 3
    
redirect-gateway

    you may need a routing rule
    incoming any
    Source Address of the VPN pool 192.168.51.0/24
    next hop WAN

    To tighten up security you can add block rule form users who should not use the FLEX H as the gateway should anyone work out they can just add redirect-gateway to there config.

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,529  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    https://community.zyxel.com/en/discussion/comment/78822#Comment_78822

    Thanks! I have helped to create the idea post.

    USG FLEX H support more than one SSL VPN configuration — Zyxel Community

    You may also try the method @PeterUK mentioned.

    Zyxel Melen


  • ITC_Sercop
    ITC_Sercop Posts: 4  Freshman Member
    First Comment Friend Collector
    https://community.zyxel.com/en/discussion/comment/78831#Comment_78831

    Hi,

    thanks.

    Your advice works perfectly. You're right, we know it's questionable as for security and we have plans to use only the "Full Tunnel" option in the near future.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)