I'm running OpenVPN 2.3.7 on CentOS 6. I'm using routing (tun) and have two instance of OpenVPN. On the second instance there are two clients that I'd like to be make visible to each other i.e ping, access ports etc. They are both within the same subnet, so it should be fairly straight forward, they are configured with static addresses through ccd.
I want the two clients to be able to see each other via their OpenVPN LAN IP addresses without enabling client-to-client in the server.conf.
I'm pretty sure it can be done with iptables, which I use as my firewall, although I use CSF, but its a wrapper for iptables.
These are the IPv4 addresses of the clients:
OpenVPN Client #1: 10.8.2.14
OpenVPN Client #2: 10.8.2.17
I need to client #1 to be able to access services running on client 2, and I guess for compatibility client #2 to see client #1 if a response is required.
I have tried several FORWARD chain rules on the OpenVPN server, but I can't get any communication between the two clients. The OpenVPN server can obviously ping both clients, the clients can ping the OpenVPN server gateway, the clients cannot obviously see each other.
Some rules I've already tried and haven't worked:
iptables -A FORWARD -s 10.8.2.14 -d 10.8.2.17 -j ACCEPT
iptables -A FORWARD -s 10.8.2.17 -d 10.8.2.14 -j ACCEPT
I'm looking for help with iptables to get the two clients visible to each other, without enabling client-to-client, see this is a special requirement for two clients and not needed anywhere else.
The alternative is exposing the services on the VPN client through NAT, but I'd rather avoid doing this for security.
Any insight would be helpful!
Thanks,
James
Best Answer
I suggest you do the reverse: enable
client-to-clientand then use iptables to block all clients but the two you want to allow to talk to each other.