EDIT: I know that learn-address is what I would need to use to call a script (as specified in the openvpn-netfilter project) to set the firewall rules. I guess my question is more related to the config.ovpn script. How do you configure the client.ovpn files to simultaneously learn which routes to the user needs, while also keeping Internet traffic to the user's ISP?
I have a question about how to do per user firewall rules, while also not routing Internet traffic through an OpenVPN server. I'm trying to setup a VPN server for a group of friends and I as we work on a project. I will implement something like this Github project: https://github.com/gdestuynder/openvpn-netfilter. This will enable the VPN server to lookup ACLs for a user, and implement them using iptables on the server side. All other traffic would be dropped.
For my own personal home VPN, I know I can use the following in my client.ovpn config to not route Internet traffic through the VPN:
route-nopull
route 192.168.1.0 255.255.255.0
Where 192.168.1.0/24 is my home subnet, and 10.8.0.0/24 (not shown) is the DHCP IP range of the tun adapter. I know placing that in the client's configuration overrides the server setting push "redirect-gateway def1 bypass-dhcp".
This is where I get confused: I already know my home subnet is 192.168.1.0/24, so I can easily place that in the client.ovpn file. But if I have no knowledge of the subnets/IPs I have access to (as most users don't), how does OpenVPN dynamically push per user VPN rules to the client?
In other words, if user1 has acess to 10.0.0.2 and 10.0.2.10 and user2 has access to 10.0.2.10 and 10.0.3.4, how does OpenVPN know to push the right routes to each user, while using the same generic client.ovpn configuration?
Best Answer
You can push individual openvpn directives to your clients using client specific configuration files in the client-config-dir.
In the server config file include the directive:
and create this directory in case it does not already exist in your openvpn path, for example:
Now create a config file per client in the
ccddirectory having the same name as the client's X509 common name. The following options are legal in a client-specific context:push,push-reset,iroute,ifconfig-push, andconfig.For example to push routes to a client with CN
user1in his certificate:For this to work you need to pull configuration directives on your clients from the server using the
pulldirective.You may have the directive
clientin your client-config, which is a helper directive and expands as follows:Do not use
route-nopullin combination as it would stop the client pulling routes. If you needredirect-gatewayon certain clients to route all traffic through the VPN subnet, you can place this directive just in those client configuration files and not in your server config file for all clients. Theredirect-gatewaydirective automatically executes routing commands to cause all outgoing IP traffic to be redirected over the VPN. See man page.