Prevent the client routing table modification during OpenVPN connection

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
hiton
OpenVpn Newbie
Posts: 2
Joined: Mon Oct 16, 2017 4:34 pm

Prevent the client routing table modification during OpenVPN connection

Post by hiton » Mon Oct 16, 2017 5:05 pm

Hello,
I set up an OpenVPN server for my company for a remote access to many internals networks.
I have configured 3 instances on the OpenVPN server because we have 3 differents types of access which corresponding to 3 differents population types with differents access rights.

The OpenVPN server is not the client default gateway because only the trafic to the internals networks of my company pass through the OpenVPN server. The Internet trafic pass through the client default gateway (Internet access provider).
So the OpenVPN server push the internals networks statics routes in the client routing table but the pushed routes are differents for the 3 openvpn instances because the access rights are differents.
It permits to have a first security just using the routing.

But the client can still modify his routing table and add route manually for the others internals networks which are not pushed for his openvpn instance.

Is there a function in openvpn which permit to disconnect a client if his routing table is modified during the VPN connection ?
Or is there a way/a function in openvpn which prevent/forbid the client to modify manually his routing table ? (add/delete route, etc...)

Thank you in advance for your help.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Prevent the client routing table modification during OpenVPN connection

Post by TinCanTech » Mon Oct 16, 2017 5:20 pm

hiton wrote:
Mon Oct 16, 2017 5:05 pm
Is there a function in openvpn which permit to disconnect a client if his routing table is modified during the VPN connection ?
No.
hiton wrote:
Mon Oct 16, 2017 5:05 pm
Or is there a way/a function in openvpn which prevent/forbid the client to modify manually his routing table ?
No.

The standard method would be to configure iptables rules to allow your preferred access.
https://openvpn.net/index.php/open-sour ... tml#policy

hiton
OpenVpn Newbie
Posts: 2
Joined: Mon Oct 16, 2017 4:34 pm

Re: Prevent the client routing table modification during OpenVPN connection

Post by hiton » Wed Oct 18, 2017 3:22 pm

Ok thank you !
I think it could be an interesting functionality for the next openvpn's versions :)
Indeed i have no choice, i will configure iptables rules to allow each access.

Post Reply