1 openvpn instance with multiple ip segment (restricted route)

Ask questions about your Access Server configuration here.
Post Reply
bluerain
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 07, 2017 2:41 pm

1 openvpn instance with multiple ip segment (restricted route)

Post by bluerain » Fri Jul 07, 2017 2:46 pm

I'm trying to setup OpenVPN server which would support multiple IP segment, such as:
10.10.8.xxx
10.10.9.xxx
10.10.10.xxx

I know how to assign static IP to each user which would enable me to assign group of user to be on 10.10.8.xxx and 10.10.9.xxx

But I want to restrict the user who is on the same segment ONLY can access within their own segment. Which means if user login as 10.10.8.1, it can not talk to 10.10.9.1

Now I know I can setup 3 OpenVPN instances for this. But is there a way to setup 1 OpenVPN instances to support this? Is there some sort of configuration I can do in the OpenVPN to "restrict" client to ONLY talk within their OWN SEGMENT?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2828
Joined: Fri Jun 03, 2016 1:17 pm

Re: 1 openvpn instance with multiple ip segment (restricted route)

Post by TinCanTech » Fri Jul 07, 2017 2:52 pm

bluerain wrote: Is there some sort of configuration I can do in the OpenVPN to "restrict" client to ONLY talk within their OWN SEGMENT?
There are numerous ways ..

You could start with this one:
https://openvpn.net/index.php/open-sour ... tml#policy

bluerain
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 07, 2017 2:41 pm

Re: 1 openvpn instance with multiple ip segment (restricted route)

Post by bluerain » Fri Jul 07, 2017 3:18 pm

Thank you very much for the info, yes I search on the internet and ran into that link but what I take from the link is that I modify my server.conf file to have:

client-config-dir /etc/openvpn/StaticIP
server 10.8.0.0 255.255.0.0
route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client

originally I didn't have the lines "route 10.8.1.0" and route "10.8.2.0" but either way that didn't work either. Under the folder "StaticIP" I have to file which assign the user their own IP, the content in each of the files are:

User 1:
ifconfig-push 10.8.1.1 10.8.1.254

User 2:
ifconfig-push 10.8.2.2 10.8.2.254


Thus when user 1 login which it it assign IP of 10.8.1.1 and user 2 assign 10.8.2.2, But I'm still stuck with 10.8.1.1 can PING 10.8.2.2...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2828
Joined: Fri Jun 03, 2016 1:17 pm

Re: 1 openvpn instance with multiple ip segment (restricted route)

Post by TinCanTech » Fri Jul 07, 2017 4:11 pm

bluerain wrote:User 1:
ifconfig-push 10.8.1.1 10.8.1.254

User 2:
ifconfig-push 10.8.2.2 10.8.2.254
You need to brush up on your IPv4 subnetting ..

I would also advise you take some time to read the entire Howto.

For further help please see :
HOWTO: Request Help ! {2}

bluerain
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 07, 2017 2:41 pm

Re: 1 openvpn instance with multiple ip segment (restricted route)

Post by bluerain » Fri Jul 07, 2017 4:36 pm

So here are some more information according to your "How to"

Linux OpenVPN 3.13.0-117-generic #164~precise1-Ubuntu SMP Mon Apr 10 16:16:25 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

ifconfig:

eth0 Link encap:Ethernet HWaddr 00:15:5d:02:10:16
inet addr:192.168.2.170 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe02:1016/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10938989 errors:0 dropped:20 overruns:0 frame:0
TX packets:280575 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:718272945 (718.2 MB) TX bytes:52581914 (52.5 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:6053 errors:0 dropped:0 overruns:0 frame:0
TX packets:6053 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:474859 (474.8 KB) TX bytes:474859 (474.8 KB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.5.1 P-t-P:10.10.5.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2345 (2.3 KB) TX bytes:168 (168.0 B)

So with that, sorry, I'm not sure what you mean by brush up on my IP subnetting, on the command "ifconfig-push 10.8.1.1 10.8.1.254"
isn't that simply state the "user" will get assign 10.8.1.1 and then the OpenVPN server is 10.8.1.254? I mean I have both user login without any error and the server is running fine. The only issue is I don't want 10.8.1.1 be able to ping 10.8.2.1.

The link you sent me, I read it already, but it seems the purpose of the example is to have "restricted" access to the "server side LAN 10.66.4.xxx according to which 10.8.xxx.xxx user login.

That is NOT what I'm trying to accomplish. Actually I DON'T even want the user to have access to our Server side network (if you see ifconfig above) of 192.168.2.xxx AT ALL.

My purpose of setting up this OpenVPN is NOT to have client access OUR Internal LAN at all. The purpose of this OpenVPN is simply a way for different group of people (remote to our office) to have a way to communicate to each other when they are at vary location. But I don't want "group A" to be able to see/communciate to "group B" nor any other group.

I'm sorry, but I am not a linux buff nor work much with linux, most of time I'm just reading the blog and follow what they do that's all. My boss just want me to to make this work asap, so I just need some very straight forward help, if possible.

thank you.

bluerain
OpenVpn Newbie
Posts: 4
Joined: Fri Jul 07, 2017 2:41 pm

Re: 1 openvpn instance with multiple ip segment (restricted route)

Post by bluerain » Fri Jul 07, 2017 4:43 pm

So just too add, the reason I start getting into OpenVPN is that we have these VoIP Phones (Grandstream), it seems it support OpenVPN, it has a client software in in.

We have customers that want to get phone systems where their PBX (main phone switch) is location "A" and they have VoIP phone all over the place (not in location "A"). So they want to be able to have those VoIP phone login into the the PBX via public internet (behind firewall). They do not have any knowledge or know-how to setup static IP or open firwall port/port forward/natting blah blah blah. So the simplist way is to setup an OpenVPN server on our end so that their devices can login and the devices can talk to each other. Obviously, this project is NOT just for 1 single customer. It is for multiple customers (and it can grow big fast, e.g. hundreds of customers). Thus, obviously I don't want "customer A" be able to "see" "customer B" devices. thus I need to assign different IP segment for different customer and CAN NOT ALLOW them to see each other.

Again, I know I can setup different instances OpenVPN per "segment" but I don't want to be running hundreds of instances, that would be crazy...

Thank you!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2828
Joined: Fri Jun 03, 2016 1:17 pm

Re: 1 openvpn instance with multiple ip segment (restricted route)

Post by TinCanTech » Fri Jul 07, 2017 6:07 pm

bluerain wrote:I'm not sure what you mean by brush up on my IP subnetting, on the command "ifconfig-push 10.8.1.1 10.8.1.254"
isn't that simply state the "user" will get assign 10.8.1.1 and then the OpenVPN server is 10.8.1.254?
No and NO! .. See your own server config for details.

You clearly do not understand subnetting or any of OpenVPN topology models.
See --topology in The Manual v24x
bluerain wrote: I know I can setup different instances OpenVPN per "segment" but I don't want to be running hundreds of instances, that would be crazy...
That is not the only crazy thing here ..

Post Reply