restricting access for openvpn client and its subnets

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
ginga
OpenVpn Newbie
Posts: 5
Joined: Sat May 25, 2013 2:36 pm

restricting access for openvpn client and its subnets

Post by ginga » Tue Feb 09, 2016 10:06 pm

Hi,

I have a fixed IP client with the following ccd config:

Code: Select all

ifconfig-push 10.8.0.6 10.8.0.7
iroute 10.10.10.0 255.255.255.0
Now I want other vpn clients to freely access 10.8.0.6 and it's subnet 10.10.10.0.
The 10.8.0.6 client and any underlying subnet must not be able to initiate new connections to VPN clients.
To achieve this I can configure iptables with something like the following:

Code: Select all

iptables -A INPUT -s 10.8.0.6 -m state --state NEW -j DROP
iptables -A FORWARD -s 10.8.0.6 -m state --state NEW -j DROP
iptables -A INPUT -s  10.10.10.0/24 -m state --state NEW -j DROP
iptables -A FORWARD -s  10.10.10.0/24 -m state --state NEW -j DROP
I am not under control of 10.8.0.6. What will happen if the client links to a new subnet, e.g. 11.11.11.0 and adds a few routing lines to see the vpn network?
Is there a way to drop all new packets that travel from/via 10.8.0.6?

Thanks!

Cheers,
Gin

Post Reply