Hardware VPN and home security

[levdev]

I have a server in my office which has a hardware vpn to my house (Draytek to Draytek router) . The main purpose is to allow the server to send an offsite image backup remotely to a pc at my house (which is dedicated for the purpose of image replication). It also enables me to access files on the server from home.

At home I have the backup PC, as well as a NAS drive and some other pc's connected to the same home network. All of this is working ok, except I realised the other day that all of the users in the office can access my shared folders and drives at home. In particular the backup PC is fully accessible, meaning anyone could copy or delete the server images. The backup images are encrypted, but it's obviously not an ideal situation.

What is the best way to secure the shared drive on the backup pc on my home network from users in the office, but still allow the office server to have access for the image backup?

Any help would be much appreciated.

[BritBronco]

I do something similar, i restrict the vpn traffic from a range of ips that i keep my home gear on.

[trek]

Permit traffic only originating from the server on the office subnet to cross the tunnel.

[levdev]

Thanks for the suggestions. How do I setup these restrictions? Is it a setting in the VPN manamagement in the router, or in the firewall, or something else?

[The_Decryptor Veteran]

Ideally you'd have 2 networks (via something like VLANs or such), one being the normal office network, and one being the VPN to your home server. The backup server would sit on both networks so that people at the office could access it, while they couldn't access the VPN network, and vice versa.

[+BudMan MVC]

"Permit traffic only originating from the server on the office subnet to cross the tunnel."

There you go, that is how you would do it. You have a site to site setup -- so for example on a pfsense box vpn, I can create rules to restrict who can use the vpn connection(s)

Currently I allow any IP to go out the tunnel, this is to allow me to access anything on my network, be it on the wlan, the dmz, etc. while I am connected via the vpn.

But say I wanted only 192.168.1.100 to be able to use the tunnel, I could setup a rule like this

Now only 192.168.1.100 can use the vpn interface. If you wanted to get fancier you could set destination restrictions as well. So it could only access specific ports or IPs, etc..

You will need to RTFM of your router to see if it provides such features, I would assume it does.

[levdev]

Thanks for your help. In the end I found a setting as part of the LAN-LAN vpn connection management to set the remote netowrk IP and subnet. I set the IP address to match the servers IP address with a subnet mask of 255.255.255.255. As such now my vpn connection from the house dials to the server and when the link is established it only allows traffic from the servers IP address.

I also found this link also quite useful:

http://technet.microsoft.com/en-us/library/cc958037.aspx