Configuring Firewall Rules for OffSec VPN Connection

  • Updated
Follow
Clients will receive an OpenVPN configuration pack that connects to one of the following VPN pool hostnames:
  • vpn-pool1.offseclabs.com
  • vpn-pool2.offseclabs.com

These hostnames are backed by GeoDNS-based load balancing.
Depending on the client’s geographic location, DNS resolution will direct traffic to one of our regional OpenVPN endpoints:

  • EU2: lb-eu2-prod.uvpn.ospl.offseclabs.com
  • NA3: lb-na3-prod.uvpn.ospl.offseclabs.com
  • AP1: lb-ap1-prod.uvpn.ospl.offseclabs.com

Important Note on IP Address Changes

Because GeoDNS routing is dynamic, the resolved IP addresses may change over time as traffic is shifted between regions or load balancer nodes.

Firewall Request

Please allow outbound UDP port 1194 to the VPN pool hostnames above, or alternatively to the full set of regional load balancer IP ranges supporting:

  • EU2
  • NA3
  • AP1
Allow-listing by FQDN is strongly recommended where supported.
 
If IP allow-listing is required (IPv4)
In the case where IP Allowlisting is required, allow UDP/1194 to the following IP addresses:
 
European (EU2)
  • 198.244.169.74
  • 54.36.227.175
  • 51.89.135.88
  • 51.89.135.148
  • 51.68.218.236
 
North America (NA3)
  • 142.44.251.218
  • 142.44.251.219
  • 142.44.251.220
  • 142.44.251.221
  • 142.44.251.222
 
Asia Pacific (AP1)
  • 51.79.170.67
  • 51.79.169.187
  • 51.79.169.191
  • 51.79.170.83
  • 51.79.170.192

Protocol/Port: UDP 1194 (OpenVPN)

Troubleshooting – Verifying Current VPN Endpoint IPs

Because the VPN pools use GeoDNS and load-balanced regional endpoints, the resolved IP addresses may change over time.
If firewall rules are configured using static IP addresses instead of FQDNs, please verify that the currently resolved IPs match those allow-listed.

Step 1 – Resolve the Regional Load Balancer Hostnames
Run the following command from a system with DNS access:

host lb-eu2-prod.uvpn.ospl.offseclabs.com
host lb-na3-prod.uvpn.ospl.offseclabs.com
host lb-ap1-prod.uvpn.ospl.offseclabs.com
Example output:
lb-eu2-prod.uvpn.ospl.offseclabs.com has address 198.244.169.74
lb-eu2-prod.uvpn.ospl.offseclabs.com has address 54.36.227.175
...
Each hostname may resolve to multiple IP addresses (load-balanced nodes).
 
Step 2 – Compare Against Firewall Allow List
Confirm all returned IP addresses are present in the firewall rules.
If new IPs appear, they must be added to the allow list for:
Protocol: UDP
Port: 1194

Step 3 – Test Connectivity (Optional)
After updating the firewall, connectivity can be validated by attempting a VPN connection using the provided configuration pack.

Related articles

Powered by Zendesk