Geo-Fencing
Restrict VPN access based on client source IP addresses.
Overview
Geo-fencing uses a whitelist model—only connections from explicitly allowed IP ranges are permitted.
Enabling Geo-Fencing
- Navigate to Administration → Geo-Fencing
- Toggle Enable Geo-Fencing
- Select enforcement mode:
- Enforce: Block connections from unlisted IPs
- Audit: Log violations but allow connections (for testing)
Creating Rules
- Click Add Rule
- Enter:
- Name: "US Office"
- CIDR: "203.0.113.0/24"
- Description: "US headquarters IP range"
- Save
Rule Assignment
Global Rules
Apply to all users:
- Go to Global Rules tab
- Add rules that should apply to everyone
Group Rules
Apply to specific groups:
- Go to Group Rules tab
- Select a group
- Add rules for that group
User Rules
Apply to specific users:
- Go to User Rules tab
- Select a user
- Add rules for that user
Rule Priority
Most specific wins:
| Priority | Level | Description |
|---|---|---|
| 1 (highest) | User | Rules assigned directly to user |
| 2 | Group | Rules assigned to user's groups |
| 3 (lowest) | Global | Default rules for everyone |
If a user has user-specific rules, only those are evaluated.
Use Cases
Country Restriction
Allow only IPs from specific countries using their IP ranges.
Office Only
Restrict access to corporate office IP addresses.
Remote Worker Exception
Allow specific users from any IP while restricting others.
Contractor Restrictions
Limit contractors to office network only.
Testing
- Enable geo-fencing in Audit mode
- Monitor the audit logs for violations
- Adjust rules as needed
- Switch to Enforce mode when ready