Here is the thing I suddenly found:
- I set up linux-based router for the network; the LAN is 10.10.10.0/24
- I set up OpenVPN server on this router; the client network is 10.10.20.0/24.
OpenVPN clients should only see some hosts on LAN: say, client1 should see 10.10.10.18 only, while client2 should be able to see 10.10.10.8/29. So I put that setting in server's per-user files. And it works pretty well.
But then "too wise" client1 managed to cheat by executing some kind of 'route add 10.10.10.0/24 10.10.20.1' command on his computer. And it worked for him!
In such a setup, it would be messy to manually have per-user firewall rules on router (sure I can assign static IP to client1 and client2 and the filter their traffic), is there any more automatic way to accomplish that?
Thank you in advance!
Manual route on client permits to see other hosts?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Mar 29, 2012 6:46 am
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Manual route on client permits to see other hosts?
nope, this requires a vpnserver-side firewall rule; it *is* possible to automatically add and remove such routes whenever a particular client connects, but it requires some scripting.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Oct 18, 2012 6:15 pm
Re: Manual route on client permits to see other hosts?
You might add a push route option on the server to install a route with a metric of zero that would reject routes to the network.
But I know that can be deleted by the bad user. It's a cat-and-mouse game, sometimes the best way is to tell him to stop, or 'else'.
Honestly, a firewalling rule is the best bet. There's lot of tools available to help without doing it by hand.
But I know that can be deleted by the bad user. It's a cat-and-mouse game, sometimes the best way is to tell him to stop, or 'else'.
Honestly, a firewalling rule is the best bet. There's lot of tools available to help without doing it by hand.