Hi
I have been scratching my head quite a lot last few hours experimenting a lot trying to restrict access for a specific user.
What I want to achieve:
I have a ex who I used to live with and she had specific data in a database hosted on my server, now that we separated I was thinking of allowing her to access her data since she lacks the equipment to run a 24/7 server.
However, if I allow her to connect to my network then I want to block access to internet and other LAN hosts except the server where the database is, which happens to be the VPN server itself (local ip 192.168.1.123)
I added a user with a fixed ip different from my other openvpn users (10.8.2.5 instead of 10.8.0.x)
This is where my trouble starts a bit, I figured out I should block with iptables, however I have only successfully blocked access to the specific host (192.168.1.123) rather than blocking internet or other hosts on the network.
I tried with
sudo iptables -A INPUT -s 10.8.2.5 -j DROP
sudo iptables -A OUTPUT -d 10.8.2.5 -j DROP
But this only ending up blocking the 192.168.1.123 rather than rest of the LAN.
since im running a NAT server so I have run masquerade and I have a feeling it is one of the core issues here, commands issued at boot is:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.123
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
so am I running in circles here or just thinking wrong? Is it even possible with my current setup?
Internet is accessed from router at 192.168.1.1
Restricting access for specific user (No internet)
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
Johnnyjohnny
- OpenVpn Newbie
- Posts: 7
- Joined: Sun Oct 26, 2014 8:53 pm
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Restricting access for specific user (No internet)
If you have one specific user who you want to control access for, the ONLY way you can do that with OpenVPN itself is to run a server for that single user and configure it appropriately.
Otherwise, you will have to use your firewall (iptables etc) to control their access.
I have exactly the same requirement (although for a far less emotive reason) and I run a single server/client VPN for that single user and it works well. Although, for security reasons it is still necessary to implement some firewall rules to ensure a smart user does not have the ability to modify their routing and gain access beyond what you have agreed to.
Otherwise, you will have to use your firewall (iptables etc) to control their access.
I have exactly the same requirement (although for a far less emotive reason) and I run a single server/client VPN for that single user and it works well. Although, for security reasons it is still necessary to implement some firewall rules to ensure a smart user does not have the ability to modify their routing and gain access beyond what you have agreed to.