I setup an OpenVPN server using openvpn-install. I would like clients to be able to connect to the VPN server, but any traffic aimed towards the internet instead of the VPNs local network should be blocked.
I have seen many solutions proposing adding push
commands to server.conf
requesting that clients use their own network for internet traffic by default, however these requests can be ignored by clients – this is not something I want.
I only want VPN clients to be able to access the local VPN network (at 10.8.0.0/24
), all other traffic should be rejected by the VPN server and clients should user their own networks for it.
How can I forcibly block internet traffic from VPN clients?
Best Answer
This can be achieved through the use of
iptables
, by blocking traffic headed from the OpenVPN network interface to the network interface with internet access.openvpn-install creates a few
iptables
configuration files that manage the rules for you.The following instructions assume that:
tun0
is the network interface of OpenVPNeth0
is the network interface with internet accessCleaning Initial Rules
First, we need to disable the current rules loaded by openvpn-install by running the following command:
Configuration Files
Note: using
DROP
instead ofREJECT
is also valid, it just doesn't return an error to the VPN client. See the iptables man page for more info.add-openvpn-rules.sh
In
/etc/iptables/add-openvpn-rules.sh
, change the line from:to:
rm-openvpn-rules.sh
In
/etc/iptables/rm-openvpn-rules.sh
, change the line from:to:
Applying The Changes
Run the following command and your changes should be saved and in effect:
Split Tunneling
Pushing routes to the VPN clients can then be used to request they send internet traffic through their own network. Here are the lines I added to my OpenVPN
server.conf
file to achieve this (my VPN network is at10.8.0.0/24
):