Restricting Access to VPN
By default, all users in the same Open Directory domain as the VPN server (or all local user accounts on a stand-alone server that is not part of an Open Directory infrastructure) can establish VPN connections once the VPN service is configured and started. You can restrict access to individual users or groups by using service level access control lists (ACLs), which enables you to maintain either VPN access groups or to enable VPN access to existing groups or individual users.
To configure a service level ACL for the VPN service, select the server’s name or IP address is in the Computers and Services list in Server Admin (which displays the general server information and settings) and then select the Settings pane along the bottom of the left-hand pane and then the Access tab (as shown in Figure 3). By default, the Use Same Access For All Services checkbox is selected. When you uncheck this option, you will be able to select individual services (in this case, the VPN service) in the Services listbox and configure ACLs for each of them.
Figure 3 Configuring a service level ACL in Server Admin
To configure an ACL for the VPN service, select it in the listbox and then select the Allow Only Users And Groups Below radio button. You can now specify which users and groups will be allowed access to the VPN service (and as a result, remote access via VPN). To add users and/or groups, click the Add button below the ACL’s listbox, which will display a drawer containing available users and groups . Drag the users and/or groups into the ACL’s listbox. To remove a user or group, select the name in the listbox and click the remote (minus sign) button.