How to allow server's subnet to access VPN network?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
alexisfrjp
OpenVpn Newbie
Posts: 1
Joined: Mon May 03, 2021 8:19 am

How to allow server's subnet to access VPN network?

Post by alexisfrjp » Mon May 03, 2021 10:29 am

* Server as Central VPN Gateway, shares its private LAN subnet to few trusted clients.
* Client A shares its private LAN subnet 192.168.164.0/24 to all the other clients, it's configured as "VPN Gateway" its private LAN subnet.
* Client A isn't allowed to access (=to initiate) other VPN clients or other private LAN subnets. It's only a "slave/server" device. I don't fully trust this computer nor its subnet.
* Client B is the master client, it can access everything but nothing can access it.

Should VPN clients have access to private subnets (non-public networks on the server side)? = No.
Private Routed Subnets (Optional) is empty. (I don't understand the meaning of that field.)

Client B User's Access Control has the server's private LAN subnet (to have the route added and the forward/firewall rule)
=> Client B can access all the computers of the server's subnet.
=> But all the computers of the server's subnet can't access (initiate connection) the VPN's subnet nor the Client A's subnet.

Packets are dropped in
Chain AS0_OUT_POST (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000000/0x2000000
56 4704 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

How can I achieve that without allowing all the VPN's clients to see/access the server's subnet setting "Should VPN ..."?

It seems I need to set lots of custom manual firewall/forward rules.

Post Reply