Client specific access rules

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
george
Forum Team
Posts: 117
Joined: Tue Jun 09, 2009 4:25 pm
Location: St. Louis, MO USA

Client specific access rules

Post by george » Tue Jun 16, 2009 5:45 pm

I am trying to set up access rules that are specific to client certificate names. I want to restrict traffic for some VPN users so that they can only get to one server on our 192.168.1.0/24 subnet

I have been trying the howto here:
http://openvpn.net/index.php/open-sourc ... tml#policy

But no luck. Here's the server config:

local 192.168.1.140
port 1194
proto udp
dev tun0 #static device to iptables rule sets
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ifconfig 10.8.0.1 10.8.0.2 #server tun0 ip
push "route 192.168.1.12 255.255.255.255"
push "route 192.168.40.5 255.255.255.255"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
push "route 192.168.40.0 255.255.255.0"
push "dhcp-option DNS 192.168.40.5"
keepalive 10 120
comp-lzo
daemon
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log 5
status-version 2
log-append /etc/openvpn/openvpn.log
verb 4
management localhost 7505

route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0

client-config-dir ccd


An example file from ccd:

ifconfig-push 10.8.2.1 10.8.2.2
iroute 192.168.1.12 255.255.255.255 #Destination server
iroute 192.168.40.5 255.255.255.255 #DNS Server

iptables commands:

iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 192.168.1.12 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 192.168.40.5 -j ACCEPT

The client connection still allows traffic to all subnets with the server configured like this.

Thanks for you consideration.
Top
george
Forum Team
Posts: 117
Joined: Tue Jun 09, 2009 4:25 pm
Location: St. Louis, MO USA

Re: Client specific access rules

Post by george » Mon Jun 22, 2009 2:31 pm

Nevermind, I got the acces rules working. It was caused by my iptables setup, I needed all my allow statements before any drop or deny statements.
Top
Douglas
Forum Team
Posts: 285
Joined: Wed Aug 27, 2008 2:41 am

Re: Client specific access rules

Post by Douglas » Tue Jul 07, 2009 1:04 am

Congrats on getting it fixed.

What OS was the server running?
Top
george
Forum Team
Posts: 117
Joined: Tue Jun 09, 2009 4:25 pm
Location: St. Louis, MO USA

Re: Client specific access rules

Post by george » Tue Jul 07, 2009 12:16 pm

OpenSUSE 11.1
Top
Post Reply

Return to “Configuration”