SoftEther VPN User Forum

We have a deployment of LAN-to-LAN VPN (Using L3 IP Routing)
VPN server is deployed on cloud network.
VPN Bridge is deployed on the local network.
While this allows for communication between the two networks what we needed, but it creates a potential vulnerability in the event of a hack on the cloud network.
If an attacker gains access to the cloud network, they can use this link to gain access to the local network.
How can we restrict the access from the cloud network with network address 10.100.1.0/24 to the local network with the network address 192.168.0.0/16

There are some minor enhancements you can do with "firewall". Two parts
restricting ports
for example if login from could to local via SSH is not needed, DROP it
restricting protocols
for example if UDP or ICMP is not needed, DROP it

For firewall you can use SE "access list" or OS firewall .

If the VPN Bridge is running "directly" whiten the network, then above are just minor enhancements and two other parts are needed to take into consideration
restricting routes/networks
as narrow as possible, 192.168.0.0./16 is huge. more subnet division could be better
restricting the bridge
by creating a VM or configuring a dedicated PC just for the VPN (running Bridge) which acts as a "gateway" and other PCs (if needed) are routed to this VPN gateway

it is worth mentioning that SE VPN Bridge acts like a "reverse tunnel" or "backdoor in the enterprise" so the Edge Firewalls are not helpful here.