OpenVPN – How to Block Internet Access for Clients and Restrict Traffic to VPN Network

firewalliptableslinuxopenvpnUbuntu

I setup an OpenVPN server using openvpn-install. I would like clients to be able to connect to the VPN server, but any traffic aimed towards the internet instead of the VPNs local network should be blocked.

I have seen many solutions proposing adding push commands to server.conf requesting that clients use their own network for internet traffic by default, however these requests can be ignored by clients – this is not something I want.

I only want VPN clients to be able to access the local VPN network (at 10.8.0.0/24), all other traffic should be rejected by the VPN server and clients should user their own networks for it.

How can I forcibly block internet traffic from VPN clients?

Best Answer

This can be achieved through the use of iptables, by blocking traffic headed from the OpenVPN network interface to the network interface with internet access.

openvpn-install creates a few iptables configuration files that manage the rules for you.

The following instructions assume that:

tun0 is the network interface of OpenVPN
eth0 is the network interface with internet access

Cleaning Initial Rules

First, we need to disable the current rules loaded by openvpn-install by running the following command:

systemctl stop iptables-openvpn

Configuration Files

Note: using DROP instead of REJECT is also valid, it just doesn't return an error to the VPN client. See the iptables man page for more info.

add-openvpn-rules.sh

In /etc/iptables/add-openvpn-rules.sh, change the line from:

iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT

to:

iptables -I FORWARD 1 -i tun0 -o eth0 -j REJECT

rm-openvpn-rules.sh

In /etc/iptables/rm-openvpn-rules.sh, change the line from:

iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT

to:

iptables -D FORWARD -i tun0 -o eth0 -j REJECT

Applying The Changes

Run the following command and your changes should be saved and in effect:

systemctl start iptables-openvpn

Split Tunneling

Pushing routes to the VPN clients can then be used to request they send internet traffic through their own network. Here are the lines I added to my OpenVPN server.conf file to achieve this (my VPN network is at 10.8.0.0/24):

push "route 10.8.0.0 255.255.255.0 vpn_gateway"
push "route 0.0.0.0 0.0.0.0 net_gateway"

Related Solutions

Openvpn – How to Setup OpenVPN as Internet-Gateway and Connection between multiple Private networks on Virtualized Server

1Have you enabled IP forwarding?

sudo vi /etc/sysctl.conf #uncomment net.ipv4.ip_forward and set = 1

net.ipv4.ip_forward = 1

sudo sysctl -p

If you are using TUN then there is a tunnel IP address that your client has. The default pool is 10.8.1.0/24. Unless your router knows about the tunnel IPs and has routes for them, you need to masquerade (NAT) the IP addresses of the tunnels so that the OpenVPN Server will rewrite the source address to be itself. It seems like you may have this covered by your mention of routing 10.8.0.0/24.

sudo apt-get install iptables-persistent
sudo iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'

Ubuntu – OpenVPN – how to stop public traffic routing through vpn server

if you are having server-side(Openvpn server) access normally its under /etc/openvpn/server/server.conf or /etc/openvpn/server.conf comment this configuration it will stop public traffic through OPEVPN

#######push "redirect-gateway def1 bypass-dhcp"

just put your desire website ip address like you can find desire website ip here

push  "route 96.6.31.216 255.255.255.255"

save this file and restart your openvpn service systemctl restart openvpn@server.service