Iptables – OpenVPN, How to filtering client

filteringfirewalliptablesopenvpn

I have a problem with limiting "client" with my VPN server.
I was reading the FAQ about using iptables with disable option client-to-client, but i cannot run it.

The question is how correctly allow choosen client to communicate with other networks.

Here is my config for openvpn.conf

    port 1194
    proto udp
    dev tun

    ca ./keys/ca.crt
    cert ./keys/hub.crt
    key ./keys/hub.key  # This file should be kept secret
    dh ./keys/dh1024.pem

    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt

    ### ADD ROUTES FOR OTHER IP

    route 10.8.1.0 255.255.255.0
    route 10.8.2.0 255.255.255.0
    route 10.8.3.0 255.255.255.0
    route 10.9.1.0 255.255.255.0

    push "route 10.8.1.0 255.255.255.0"
    push "route 10.8.2.0 255.255.255.0"
    push "route 10.8.3.0 255.255.255.0"
    push "route 10.9.1.0 255.255.255.0"

    # IF YOU WANT TO DISABLE OPTION TO CONNECT CLIENT TO CLIENT JUST PUT A HASH
    # client-to-client
    # CLIENT USING THEIR OWN CONFIG DIRECTORY
    client-config-dir ccd

    keepalive 10 120
    comp-lzo
    max-clients 200
    persist-key
    persist-tun
    status openvpn-status.log
    log         openvpn.log
    log-append  openvpn.log
    verb 3
    mute 20
    management localhost 7505

on the ccd

client A had a line

    ifconfig-push 10.8.1.9 10.8.1.10

client B had a line

    ifconfig-push 10.8.2.1 10.8.2.2

Administrator getting IP from server range 10.8.0.0

etc.

Assume
I created firewall to choose which client is able to communicate with each other

    ### firewall.sh
    # Enabled Forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # this will clear all rules from FORWARD
    iptables -F FORWARD 
    # set default policy to drop all packets. 
    # After executing this command, the clients 
    # shouldn't be able to reach each other anymore
    iptables -P FORWARD DROP 
    # allow all active connections to pass
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
    # Sysadmin rule - Administrator getting full acess
    iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.1.0/24 -j ACCEPT
    iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.2.0/24 -j ACCEPT
    iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.3.0/24 -j ACCEPT
    iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.9.1.0/24 -j ACCEPT
    # Clients rules
    iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.9.1.0/24 -j ACCEPT
    # Clients rules
    iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.8.3.0/24 -j ACCEPT
    # Specific clients access
    iptables -A FORWARD -i tun0 -s 10.8.3.5 -d 10.8.2.1 -j ACCEPT

Unfortunately this rules does not work.

So the final question where i was doing fault ?

Best Answer

You cannot make this network setup using the ccd feature, because your OpenVPN server needs to have an address in each subnet you want to use.

You should run multiple copies of OpenVPN, one for each /24 subnet that you are using. Each OpenVPN server instance then has a unique IP address in the subnet.

So, for example, for subnet 10.8.0.0/24, you would have the following in configuration:

server 10.8.0.0 255.255.255.0

And for subnet 10.8.1.0/24, you would have:

server 10.8.1.0 255.255.255.0

After this, you can set up firewall rules between these subnets.

Related Topic