Banning people connecting clients can be done from the dashboard or on your own backend (HTTP). What differs is how far the connecting client gets before being rejected. This article covers banning clients at the proxy or tunnel edge.
By default when no rules are specified any client can connect.
CIDR format refers to a way of referring to an IP range (or single IP). It allows for maximum flexibility in rules. It appends to the address a slash character and the decimal number of leading bits of the routing prefix, e.g., 192.168.2.0/24 for IPv4, and 2001:db8::/32 for IPv6.
Common CIDR rules
0.0.0.0/0 - All IP addresses 188.8.131.52/32 - Just 184.108.40.206 192.168.2.0/24 - 192.168.2.1 - 192.168.2.255
Rules are executed from top down, the first matching rule is the one that takes affect. For example the following example.
1) deny 192.168.1.1; 2) allow 10.1.1.0/16; 3) allow 192.168.1.0/24; 4) deny 0.0.0.0/0;
This configuration specifies that only 10.1.1.0/16 and 192.168.1.0/24 (with the exception of 192.168.1.1) are allowed to access the server.
If an IP address is entered without a CIDR suffix, it will default to /32 (aka just that IP).
A Subnet Calculator exists to help with the calculations.