Manual route on client permits to see other hosts?

[achekalin]

Here is the thing I suddenly found:
- I set up linux-based router for the network; the LAN is 10.10.10.0/24
- I set up OpenVPN server on this router; the client network is 10.10.20.0/24.

OpenVPN clients should only see some hosts on LAN: say, client1 should see 10.10.10.18 only, while client2 should be able to see 10.10.10.8/29. So I put that setting in server's per-user files. And it works pretty well.

But then "too wise" client1 managed to cheat by executing some kind of 'route add 10.10.10.0/24 10.10.20.1' command on his computer. And it worked for him!

In such a setup, it would be messy to manually have per-user firewall rules on router (sure I can assign static IP to client1 and client2 and the filter their traffic), is there any more automatic way to accomplish that?

Thank you in advance!

[janjust]

nope, this requires a vpnserver-side firewall rule; it *is* possible to automatically add and remove such routes whenever a particular client connects, but it requires some scripting.

[danz]

You might add a push route option on the server to install a route with a metric of zero that would reject routes to the network.

But I know that can be deleted by the bad user. It's a cat-and-mouse game, sometimes the best way is to tell him to stop, or 'else'.

Honestly, a firewalling rule is the best bet. There's lot of tools available to help without doing it by hand.