I have my openvpn server up and running and I push certain routes to my clients via the ccd directive, I would like to know how I can update the iptables based on the ccd files when the client connects.
So lets say my ccd for client1 is :
ifconfig-push 10.8.0.45 255.255.255.0
push 'route 10.10.0.45'
and I want to add this to the iptables.
iptables -A FORWARD -s 10.8.0.45 -d 10.10.0.45 -j ACCEPT
and then
iptables -A FORWARD -s 10.8.0.0/24 -d 10.10.0.0/16 -j DROP
If someone can point me in the right direction would be much appreciated, im fairly newb with bash scripts
Best Answer
You can hook into an OpenVPN configuration many scripts, which receive many parameters from the server as environment variables: cf. Reference Manual.
You are mostly interested in the
up
,down
scripts to insert theDROP
rule at server startup and shutdown and theclient-connect
andclient-disconnect
script for per client rules. You need to modify your server config to contain:/etc/openvpn/updown.sh
script will create aOPENVPN
and link it from theFORWARD
chain:/etc/openvpn/client.sh
will be more complicated: while the public and private IP addresses of the remote client are contained in theifconfig_remote
andifconfig_pool_remote_ip
, you will need to parse the ccd file to find out which routes did you send to the client: