I am trying to set up access rules that are specific to client certificate names. I want to restrict traffic for some VPN users so that they can only get to one server on our 192.168.1.0/24 subnet
I have been trying the howto here:
http://openvpn.net/index.php/open-sourc ... tml#policy
But no luck. Here's the server config:
local 192.168.1.140
port 1194
proto udp
dev tun0 #static device to iptables rule sets
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ifconfig 10.8.0.1 10.8.0.2 #server tun0 ip
push "route 192.168.1.12 255.255.255.255"
push "route 192.168.40.5 255.255.255.255"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
push "route 192.168.40.0 255.255.255.0"
push "dhcp-option DNS 192.168.40.5"
keepalive 10 120
comp-lzo
daemon
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log 5
status-version 2
log-append /etc/openvpn/openvpn.log
verb 4
management localhost 7505
route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0
client-config-dir ccd
An example file from ccd:
ifconfig-push 10.8.2.1 10.8.2.2
iroute 192.168.1.12 255.255.255.255 #Destination server
iroute 192.168.40.5 255.255.255.255 #DNS Server
iptables commands:
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 192.168.1.12 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 192.168.40.5 -j ACCEPT
The client connection still allows traffic to all subnets with the server configured like this.
Thanks for you consideration.
Client specific access rules
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- Forum Team
- Posts: 117
- Joined: Tue Jun 09, 2009 4:25 pm
- Location: St. Louis, MO USA
-
- Forum Team
- Posts: 117
- Joined: Tue Jun 09, 2009 4:25 pm
- Location: St. Louis, MO USA
Re: Client specific access rules
Nevermind, I got the acces rules working. It was caused by my iptables setup, I needed all my allow statements before any drop or deny statements.
-
- Forum Team
- Posts: 285
- Joined: Wed Aug 27, 2008 2:41 am
Re: Client specific access rules
Congrats on getting it fixed.
What OS was the server running?
What OS was the server running?
-
- Forum Team
- Posts: 117
- Joined: Tue Jun 09, 2009 4:25 pm
- Location: St. Louis, MO USA
Re: Client specific access rules
OpenSUSE 11.1