vpnhub with local bridge limited to specified port

[yess]

Hello,
I have installed for the first time the softether vpn on my test raspberry and it works very nice!!

The problem:
- the raspberry run the softether vpn server and apache2
- I have one vpn hub bridged on the local network of the raspberry and works correctly
- The second vpn hub I need to be "isolated" with the possibilities to contact only the port 80 that run on the raspberry host....

How can I allow access to a specified group only to main host and not to all the server network in bridged mode?

Thank for attention!!

[moatazelmasry]

So if I understand correctly, you want the users of Hub2 to connect only to port 80. Correct?

If this is the case, why don't you assign Hub2 a specific Subnet. Say 192.168.40.1/28. And configure your firewall to allow only port 80 for this subnet

[yess]

Thanks you.

Last question, how I can block ip after X failed login attempts?

I'm trying ossec but it not works.

Thanks.

[moatazelmasry]

Hmm. There isn't any such implementation on SoftEther as far as I know, but I found a couple of other solutions:

1-
freeradius has a lockout implementation but needs some work from your side
https://wiki.freeradius.org/guide/lockout

2- You can delay response/reject on freeradius
http://lists.freeradius.org/pipermail/f ... 80679.html

3-
log the number of login attempts, and disable the user after sometime.
Here's how to maintain the login attempts
https://wiki.freeradius.org/guide/FAQ#h ... l-database
Then using a script, read this number periodically and disable users

4-
If you are connecting via L2TP protocol, it uses port 500 for authentication, and after that port 1701 for normal communication. You can add a firewall/iptables rules to prevent denial of service attack (DOS) on port 500, like in this example
http://blog.bodhizazen.net/linux/preven ... -iptables/

Good luck