VPN access to single computer on network

[sladans]

I am trying to enable a remote user (my accountant) to access Quickbooks by logging onto my AC88U via OpenVPN and then using Remote Desktop to access a single computer running Quickbooks.

I am using Merlin firmware and am currently able to run OpenVPN server on my AC88U and use the OpenVPN client to log into the entire network and then use Remote desktop to access any of the computers on the network.

Is it possible to configure OpenVPN/AC88U to only provide a specific user with access to a single IP address/computer on the network (versus all of the computers on the network)? Is there some other way to accomplish this?

 

[Maverickcdn]

Im pretty sure it has to be done with IPtables rules.

Myself, Id create a second OVPN server, manually set the clients IP address, then use IPtables to only allow access from your VPN IP to the Remote IP you want and drop the rest

 

[sladans]

The AC88U can run two OVPN servers, so that should be simple. Where would you suggest is the best place to read about how to use IPtables? I have not done any scripting yet.

 

[ColinTaylor]

Even if the VPN were to restrict them to connecting to one target PC once they connect to it they have the same access to the LAN as that PC does.

 

[Maverickcdn]

Even if the VPN were to restrict them to connecting to one target PC once they connect to it they have the same access to the LAN as that PC does.

Derp, glad Colin is thinking.

 

[sladans]

I understand that providing access to the PC running Quickbooks will then provide the person coming in on the VPN with access to whatever portion of the network the PC running Quickbooks has access to (including the router). Could I insert another router into the mix between the AC88U and the machine running Quickbooks? (Maybe port forward the OVPN connection to the second router running OVPN) Would that make a difference?

 

[Maverickcdn]

Unless you restrict your personal PC access to the rest of the LAN... no. As soon as the they remote to your PC its like they're basically sitting at that machine in your house and have unfettered access to whatever you would normally have access to.

Do they need to have remote access to the PC or can you simply find a way to share the file they're editing?

I would have a share on my NAS, use the VPN IPtables to restrict access to the NAS only and have the user settings on the NAS to only allow access to that file

 

[coxhaus]

QuickBooks has a cloud version. If you move your QuickBooks to the cloud then your accountant does not need access to your network. He can logon to the cloud directly.

If you want to use your QuickBooks local you could use a separate PC and limit access to the PC maybe put it in a separate network by itself. And restrict the network to WAN access only like a guest network.

 

[sladans]

I would have a share on my NAS, use the VPN IPtables to restrict access to the NAS only and have the user settings on the NAS to only allow access to that file

Interestingly, this was my first idea, but apparently Quickbooks does not like to run in this mode - it supposedly becomes very sluggish if its files are not on the local lan.

QuickBooks has a cloud version. If you move your QuickBooks to the cloud then your accountant does not need access to your network. He can logon to the cloud directly.

My goal was to avoid the $50-$100/month fee for two users to use Cloud Hosted Quickbooks (not Quickbooks online).

If you want to use your QuickBooks local you could use a separate PC and limit access to the PC maybe put it in a separate network by itself. And restrict the network to WAN access only like a guest network.

This was along the lines of what I was thinking, but not sure how to do this with a combo of routers (and possibly vlans). I could perhaps set up a primary router in front of the AC88U and another router "parallel" to the AC88U which in turn is connected to the PC running Quickbooks. The issue there however, is that I will not be able to access the QB file from my existing desktop on the primary network w/o using a VPN to the second network/new router. I suppose I could try that and see if the VPN speed on the LAN would be enough for my desktop to use.

 

[coxhaus]

This was along the lines of what I was thinking, but not sure how to do this with a combo of routers (and possibly vlans). I could perhaps set up a primary router in front of the AC88U and another router "parallel" to the AC88U which in turn is connected to the PC running Quickbooks. The issue there however, is that I will not be able to access the QB file from my existing desktop on the primary network w/o using a VPN to the second network/new router. I suppose I could try that and see if the VPN speed on the LAN would be enough for my desktop to use.

The easy way is to use a business class router that supports VLANs and routing networks.

 

[Maverickcdn]

The easy way is to use a business class router that supports VLANs and routing networks.

That still wont get around the issue of the remote user having full access to whatever that PC normally has access to on his LAN. The issue here is the use of VNC and regular everyday network access.

I think the only solution is to either

Option A) Restrict LAN access from your PC to the rest of the LAN with VLANs (Business Router or Managed Switch) but then not only remote users will not have access, YOU will also not have access from that computer to the rest of the LAN, can be accomplished with a second router and IPtables aswell
Option B) Move your quickbooks to an entirely separate PC and do option A with it. ie. segregate it from the rest of your network

If you dont need access to anything else on your network from that PC then just option A will do, if you do need access to your LAN from that PC you need option B implementing option A

 

[ColinTaylor]

An alternative that we had to implement at a place where I once worked was to only enable remote access for the duration it was required, try to restrict access from a particular source IP as well as the specific target PC, and then have someone sitting in front of the target PC watching what they were doing.

Now before everyone chimes in... yes I know that the remote user could still be accessing other parts of the LAN (or even the PC) without it being visible on the screen. But if this is just for an hour or two to do a specifically contracted task and you know and trust the third party (after all you asked them to connect to your network) then it might be an acceptable risk.

 

[Maverickcdn]

If you wanna go the ultra complicated route....

You could read about using robocfg to create Vlans on your router if it supports it, write a script that monitors for VPN connections, when they connect it can implement a Vlan restricting access, and when they disconnect you could revert the Vlans to normal....

Not easy, but just a thought. Quite honestly though I would do like Colin said and just monitor what they're doing.... if you notice shady stuff just find a new accountant haha

 

[sladans]

Thank you for all of the assistance!

I think the only solution is to either

Option A) Restrict LAN access from your PC to the rest of the LAN with VLANs (Business Router or Managed Switch) but then not only remote users will not have access, YOU will also not have access from that computer to the rest of the LAN, can be accomplished with a second router and IPtables aswell

Option B) Move your quickbooks to an entirely separate PC and do option A with it. ie. segregate it from the rest of your network

If you dont need access to anything else on your network from that PC then just option A will do, if you do need access to your LAN from that PC you need option B implementing option A

Ideally, Quickbooks will be running on a separate PC and will be the only application running on the separate PC. I do understand the idea of setting up a separate network or VLAN so that the Quickbooks PC will not be able to access any other PC or network resources. I am thinking that I could VPN in to the Quickbooks PC via the local LAN and perhaps that would provide enough speed (would need to test).

My question is around the exact configuration for this. Would I a) be replacing the AC88U with a business router (creating a VLAN for the Quickbooks machine and routing OVPN traffic to the VLAN), b) putting the business router behind the AC88U (and port forwarding the OVPN connection to the business router), or c) something else?

Now before everyone one chimes in... yes I know that the remote user could still be accessing other parts of the LAN (or even the PC) without it being visible on the screen. But if this is just for an hour or two to do a specifically contracted task and you know and trust the third party (after all you asked them to connect to your network) then it might be an acceptable risk.

Ideally I would like to have this available at "any time" and be unmonitored so the accountant can access on demand.

 

[coxhaus]

That still wont get around the issue of the remote user having full access to whatever that PC normally has access to on his LAN. The issue here is the use of VNC and regular everyday network access.

I think the only solution is to either

Option A) Restrict LAN access from your PC to the rest of the LAN with VLANs (Business Router or Managed Switch) but then not only remote users will not have access, YOU will also not have access from that computer to the rest of the LAN, can be accomplished with a second router and IPtables aswell
Option B) Move your quickbooks to an entirely separate PC and do option A with it. ie. segregate it from the rest of your network

If you dont need access to anything else on your network from that PC then just option A will do, if you do need access to your LAN from that PC you need option B implementing option A

That's what I said. You missed reading all of what I said. The business router was to save you from running multiple routers with double NAT which seems to be preferred on this site. One business router is the easy way to me.

 

[bbunge]

The really easy solution to this problem is to use Teamviewer. Can be installed on that one PC or run from the install file for one time use. Your accountant can just run it from her PC without installing.

 

[coxhaus]

I have seen Teamviewer used and it worked well. But you end up taking over the PC so it will need to be coordinated with the user. Not a anytime kind of thing.

 

[Maverickcdn]

That's what I said. You missed reading all of what I said. The business router was to save you from running multiple routers with double NAT which seems to be preferred on this site. One business router is the easy way to me.

Yes/no I was clarifying your statement for the OP. Buying a new router wasnt the only option, infact keeping his current router and buying a managed switch would actually be easiest (no need to reconfigure their current network). And double NAT isnt as big an issue as most people make it out to be, why its so frowned upon is beyond me, it has its use cases.

 

[coxhaus]

Yes/no I was clarifying your statement for the OP. Buying a new router wasnt the only option, infact keeping his current router and buying a managed switch would actually be easiest (no need to reconfigure their current network). And double NAT isnt as big an issue as most people make it out to be, why its so frowned upon is beyond me, it has its use cases.

Maybe so but you missed the big picture.

 

[Maverickcdn]

Maybe so but you missed the big picture.

As in what exactly?
Op asked about isolating a pc on their lan that someone is already using a vnc to access. Not sure what else is part of the 'big picture'