Hello
I'm looking for a solution to a problem I'm facing, hopefully you can help.
I have a few clients and I would like to monitor some of the devices via SNMP. I don't want to do this over the internet, I want to do this via a VPN for security reasons.
Each of the clients has an OpenVPN server, set up and running for their staff to work remotely.
I would like to set up a VPN connection having them as a client and me as the server so I can monitor several devices in different locations. I want to be able to connect to them via VNC too for support reasons, each of them has TightVNC on their computers and currently I have to VPN into each site, so I know VNC works.
What I don't want is for the clients to see each other I want to restrict the traffic through the VPN to ports 21, 22, 161 and 5800. Internet traffic should just flow out as normal.
Do I start multiple VPN connections out of my office to them so I'm the client, or do I set them as the client and me as the server, remembering that I don't want them to see each other, so client-to-client might have to be switched off, but then how do I VNC to them?
Hopefully I'm making sense and I haven't lost anyone along the way.
It's late here so I'm off for some rest, but I will reply as soon as I can to anyone willing to help me.
Thanks!
Site-to-Site connection
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: Site-to-Site connection
with the "client-to-client" option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client.
If you want to run a server and have them be clients, then simply do not use client-to-client and configure the firewall to allow forwarding for the limited client to client traffic that you wish to allow.
You will want to:
put your client that gets special privileges on a static ip using a ccd entry with ifconfig-push in it and make static firewall rules for that static vpn ip
(this is the easier, and more common method)
OR
leave the special client on a dynamic ip and make dynamic firewall rules using a learn-address script
(in your case this is less likely to be the solution you want, but i include it for future web searchers that see this post
)
If you want to run a server and have them be clients, then simply do not use client-to-client and configure the firewall to allow forwarding for the limited client to client traffic that you wish to allow.
You will want to:
put your client that gets special privileges on a static ip using a ccd entry with ifconfig-push in it and make static firewall rules for that static vpn ip
(this is the easier, and more common method)
OR
leave the special client on a dynamic ip and make dynamic firewall rules using a learn-address script
(in your case this is less likely to be the solution you want, but i include it for future web searchers that see this post
)