Need help configuring your VPN? Just post here and you'll get that help.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
brunobronosky
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Feb 09, 2017 7:26 pm
Post
by brunobronosky » Tue Jun 06, 2017 7:15 pm
With this combination I was expecting that testuser with IP 172.141.127.1 would be prevented from reaching my servers on 172.31.x.x
Code: Select all
/etc/openvpn $ cat ccd/testuser
ifconfig-push 172.141.127.1 172.141.127.2
/etc/openvpn $ sudo iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 LOG all -- 172.141.127.0/24 0.0.0.0/0 LOG flags 0 level 4 prefix `** ONO **'
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 172.141.127.1 172.128.1.0/24 tcp
2 REJECT tcp -- 172.141.127.0/24 0.0.0.0/0 tcp reject-with icmp-host-prohibited
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT all -- 172.31.0.0/16 0.0.0.0/0
5 ACCEPT tcp -- 172.127.0.0/20 172.31.6.110 tcp dpt:22
6 REJECT tcp -- 172.127.0.0/20 0.0.0.0/0 tcp dpt:22 reject-with icmp-host-prohibited
7 ACCEPT all -- 172.127.0.0/20 0.0.0.0/0
8 ACCEPT tcp -- 172.141.0.0/17 172.31.6.110 tcp dpt:22
9 REJECT tcp -- 172.141.0.0/17 0.0.0.0/0 tcp dpt:22 reject-with icmp-host-prohibited
10 ACCEPT all -- 172.141.0.0/17 0.0.0.0/0
11 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
What am I missing?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Tue Jun 06, 2017 7:51 pm
brunobronosky wrote:/etc/openvpn $ cat ccd/testuser
ifconfig-push 172.141.127.1 172.141.127.2
Are you sure that is what you want ?
-
TiTex
- OpenVPN Super User
- Posts: 310
- Joined: Tue Apr 12, 2011 6:22 am
Post
by TiTex » Wed Jun 07, 2017 5:03 am
your rules are evaluated in order they appear in the chain (if first rule accepts the connection , and the second one doesn't ... the connection will be allowed) so you should put them in a manner that make sense
these are not private IP ranges
172.141.0.0/17
172.128.1.0/24
172.127.0.0/20
-
brunobronosky
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Feb 09, 2017 7:26 pm
Post
by brunobronosky » Fri Jun 09, 2017 7:46 pm
TiTex wrote:
your rules are evaluated in order they appear in the chain (if first rule accepts the connection , and the second one doesn't ... the connection will be allowed) so you should put them in a manner that make sense
Doesn't this make sense?
Code: Select all
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 172.141.127.1 172.128.1.0/24 tcp
2 REJECT tcp -- 172.141.127.0/24 0.0.0.0/0 tcp reject-with icmp-host-prohibited
To me this means:
Rule 1 will accept connections from 172.141.127.1 to 172.128.1.0-172.128.1.255. If that doesn't match the condition...
Rule 2 will reject connections from 172.141.127.1 (or any other 172.141.127.0-172.141.127.255) to any other destination.
-
brunobronosky
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Feb 09, 2017 7:26 pm
Post
by brunobronosky » Tue Jun 13, 2017 1:29 pm
Somehow, just changing the IPs to the actual RFC1918 private space, and removing the CIDR masks fixed it.
Code: Select all
ACCEPT tcp -- 172.30.127.9 172.29.0.1 tcp
REJECT tcp -- 172.30.127.9 0.0.0.0/0 tcp reject-with icmp-host-prohibited
Now the client with 172.30.127.9 can only reach the machine 172.29.0.1. I also confirmed that when you put
Code: Select all
ifconfig-push 172.30.127.9 172.30.127.10
in a CCD file, it is the first IP that you use for filtering.