Access policies
Posted: Wed May 08, 2019 1:51 am
There are "secure" and "insecure" clients in my VPN (10.8.0.0/24). Now all the clients have access to each other. To improve security I need to restrict access to all but one peer (10.8.0.6) for "insecure" clients, while the "secure" clients should retain access the entire subnet (10.8.0.0/24).
I was following the instructions in Configuring client-specific rules and access policies, but can't make it work: somehow all requests to 10.8.0.6 from 10.8.1.0/24 are timed out.
To make things worse, the access to existing client configs is very limited, and I can't change the IP address of 10.8.0.6
port 1194
proto tcp6
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
route 10.8.1.0 255.255.255.0
client-config-dir ccd
ccd/insecure0:
ifconfig-push 10.8.1.1 10.8.1.2
route 10.8.0.6 255.255.255.255
iroute 10.8.0.6 255.255.255.255
client
dev tun
proto tcp
remote ********************
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
ca ca.crt
cert insecure0.crt
key insecure0.key
I was following the instructions in Configuring client-specific rules and access policies, but can't make it work: somehow all requests to 10.8.0.6 from 10.8.1.0/24 are timed out.
To make things worse, the access to existing client configs is very limited, and I can't change the IP address of 10.8.0.6
Server Config
port 1194
proto tcp6
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
route 10.8.1.0 255.255.255.0
client-config-dir ccd
ccd/insecure0:
Server-side client config
ifconfig-push 10.8.1.1 10.8.1.2
route 10.8.0.6 255.255.255.255
iroute 10.8.0.6 255.255.255.255
Client config
client
dev tun
proto tcp
remote ********************
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
ca ca.crt
cert insecure0.crt
key insecure0.key
Code: Select all
/etc/openvpn# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.8.1.0/24 10.8.0.6
ACCEPT all -- 10.8.0.6 10.8.1.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
/etc/openvpn#