defguard icon indicating copy to clipboard operation
defguard copied to clipboard
verified publisher icon DefGuard

Design: AllowedIPs based on ACL

Open gstorme opened this issue 5 months ago • 4 comments

Is your feature request related to a problem? Please describe. Currently the AllowedIPs is applied to all devices that connect. It could be useful to allow for a more selective routing, based on the configured ACLs. We have a large list of subnets, but not every user/group should get these. Some users/groups should only get access to a specific set of resources. We can of course restrict/customize this with ACLs, but it could be seen as a security issue to push these routes anyhow, and the user(s) would only expect a certain set of resources to be routed over the VPN, instead of all our subnets.

Describe the solution you'd like A setting which allows to not provision the AllowedIPs (from location settings) on user/group level, but instead set the AllowedIPs to what is configured in the ACL for that user/group.

Describe alternatives you've considered Work with multiple defguard locations for each set of AllowedIPs Keep current solution for those users/groups (Fortigate SSLVPN with Split tunneling Enabled Based on Policy Destination)

gstorme avatar Jul 31 '25 22:07 gstorme

@gstorme We want to design this feature and put it on the roadmap, could you describe the ideal solution for you? Eg. should we expand the Location settings (with possibility to connect some AllowdIPs with some already defined ACLs?) Or the other way around (eg. add AllowedIPs section in the ACL itself)? Or any other idea?

teon avatar Oct 08 '25 14:10 teon

Great! My idea:

Add an option in the location settings, to choose between entering AllowedIPs manually (same as now), or have it "Generate AllowedIPs based on ACL rules". When that option is selected, it would require having the "Enable ACL for this location" too, before being able to save.

This way, you can have a location that generates AllowedIPs for clients, which will only contain destinations they have access to, based on the deployed rules.

You already have code to generate non-overlapping IP ranges from the ACL rules, to generate nftables rules. It would be good to use something similar to generate the AllowedIPs.

gstorme avatar Oct 08 '25 21:10 gstorme

@gstorme to double check if I understand correctly - the Generate AllowedIPs based on ACL rules would add allowed IPs based on all allowed destinations that the user/group has? Meaning only the networks defined either in Aliases or IPv4/IPv6 CIDRs section? Do I understand it correctly?

teon avatar Oct 29 '25 17:10 teon

Yes, that is correct

gstorme avatar Oct 29 '25 21:10 gstorme