Restrict OpenVPN in bridged mode (tap) to access only local LAN devices

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
gotenks
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 16, 2018 1:39 pm

Restrict OpenVPN in bridged mode (tap) to access only local LAN devices

Post by gotenks » Thu Oct 18, 2018 1:09 pm

We are using OpenVPN in bridged mode

Server conf
server-bridge 172.20.20.10 255.255.255.0 172.20.20.100 172.20.20.150
verb 3
key /etc/openvpn/pki/private/xxxx.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/xxxx.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
port 1194
dev tap0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DOMAIN xxx.ltd"
push "dhcp-option DNS 172.20.20.4"
push "comp-lzo no"

### Extra Configurations Below
client-to-client
topology subnet


As you can see, we are not using the redirect-gateway option, so clients are not pushed the gateway route. Anyway, this can easily be bypassed by client configuration. How can we use iptables to allow VPN clients to communicate only with local LAN devices (in the 172.20.20.x network)?

I suppose we have to change our iptables rules, which currently are as follow:

Code: Select all

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

gotenks
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 16, 2018 1:39 pm

Re: Restrict OpenVPN in bridged mode (tap) to access only local LAN devices

Post by gotenks » Fri Oct 19, 2018 1:28 pm

Solved:

Code: Select all

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -d 172.20.20.0/24 -j ACCEPT

Post Reply