I thought I would share the Flow Rules I have set up to restrict traffic on the VPN to Remote Desktop only. I have further restricted the RDP connections to those between computers with the same Tag. This allows users who have a computer at home to Remote Desktop to their work computer. It stops all other traffic and stops users connecting to computers other than their own.
Once the rule has been saved, A Tags Matrix will show up towards the bottom of the screen. To allow a computer to RD to another you must set the tag for both nodes to the same user.
#
# This rule set allows IPv4 traffic only
# and restricts traffic to Remote Desktop between matching user tags
#
# Create a tag for which user someone is
tag users
id 1000 # arbitrary, but must be unique
enum 100 Andrew # has no meaning to filter, but used in UI to offer a selection
enum 200 John
enum 300 Betty
;
#
# Allow only IPv4 and ARP Ethernet frames.
#
drop
not ethertype ipv4
and not ethertype arp
;
#
# Uncomment to drop non-ZeroTier issued and managed IP addresses.
#
# This prevents IP spoofing but also blocks manual IP management at the OS level and
# bridging unless special rules to exempt certain hosts or traffic are added before
# this rule.
#
drop
not chr ipauth
;
# Nothing will work if ARP packets aren't allowed through
accept ethertype arp;
# Anyone can ping anyone on the VPN. This is mainly for testing purposes
accept ipprotocol icmpv4; # accept pings
# Only allow connection if sending and receiving user tags are the same
# This restricts users to only RD on their own devices
drop not tdiff users 0; # difference between users tags is not 0, meaning they don't match
# Only accept RDP connections
# This stops other connections such as file sharing
drop not ipprotocol tcp;
accept dport 3389; # Destination is RDP
drop chr tcp_syn and not chr tcp_ack; # No new TCP connections (except RDP)
accept; # Accept what's left, returning RDP traffic
# Reject all other packets
drop
;