I have a problem with limiting "client" with my VPN server.
I was reading the FAQ about using iptables with disable option client-to-client, but i cannot run it.
The question is how correctly allow choosen client to communicate with other networks.
Here is my config for openvpn.conf
port 1194
proto udp
dev tun
ca ./keys/ca.crt
cert ./keys/hub.crt
key ./keys/hub.key # This file should be kept secret
dh ./keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
### ADD ROUTES FOR OTHER IP
route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0
route 10.8.3.0 255.255.255.0
route 10.9.1.0 255.255.255.0
push "route 10.8.1.0 255.255.255.0"
push "route 10.8.2.0 255.255.255.0"
push "route 10.8.3.0 255.255.255.0"
push "route 10.9.1.0 255.255.255.0"
# IF YOU WANT TO DISABLE OPTION TO CONNECT CLIENT TO CLIENT JUST PUT A HASH
# client-to-client
# CLIENT USING THEIR OWN CONFIG DIRECTORY
client-config-dir ccd
keepalive 10 120
comp-lzo
max-clients 200
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
mute 20
management localhost 7505
on the ccd
client A had a line
ifconfig-push 10.8.1.9 10.8.1.10
client B had a line
ifconfig-push 10.8.2.1 10.8.2.2
Administrator getting IP from server range 10.8.0.0
etc.
Assume
I created firewall to choose which client is able to communicate with each other
### firewall.sh
# Enabled Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# this will clear all rules from FORWARD
iptables -F FORWARD
# set default policy to drop all packets.
# After executing this command, the clients
# shouldn't be able to reach each other anymore
iptables -P FORWARD DROP
# allow all active connections to pass
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Sysadmin rule - Administrator getting full acess
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.1.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.2.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.3.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.9.1.0/24 -j ACCEPT
# Clients rules
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.9.1.0/24 -j ACCEPT
# Clients rules
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.8.3.0/24 -j ACCEPT
# Specific clients access
iptables -A FORWARD -i tun0 -s 10.8.3.5 -d 10.8.2.1 -j ACCEPT
Unfortunately this rules does not work.
So the final question where i was doing fault ?
Best Answer
You cannot make this network setup using the
ccd
feature, because your OpenVPN server needs to have an address in each subnet you want to use.You should run multiple copies of OpenVPN, one for each /24 subnet that you are using. Each OpenVPN server instance then has a unique IP address in the subnet.
So, for example, for subnet 10.8.0.0/24, you would have the following in configuration:
And for subnet 10.8.1.0/24, you would have:
After this, you can set up firewall rules between these subnets.