Restricting Internet access through VPN

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
pacsd
OpenVpn Newbie
Posts: 5
Joined: Mon Jan 11, 2021 11:35 pm

Restricting Internet access through VPN

Post by pacsd » Thu May 19, 2022 1:39 am

Requirements:
- users should access only some IPs from the LAN, but their Internet traffic should not be redirected through VPN.

Implementation without using iptables for future flexibility :
topology subnet
push "topology subnet"
ifconfig 10.10.0.1 255.255.255.0
push "route-gateway 10.10.0.1"
client-config-dir /etc/openvpn/server/ccd


# Making sure to comment redirect-gateway
;push "redirect-gateway def1 bypass-dhcp"
;push "redirect-gateway def1"
;push "redirect-gateway local def1"


#CCD file for USER1
# Fixed IP allocation
ifconfig-push 10.10.0.21 255.255.255.0
# Server
push "route 192.168.1.2 255.255.255.255"
# Printer
push "route 192.168.1.55 255.255.255.255"


Problem:
Everything works well on Windows computers and they can access only the pushed routes BUT the Linux computers completely ignore these rules and they can access the entire LAN and redirect all their traffic (Internet included) through VPN.

Does anyone know why it happens and how could be fixed ? Thank you.

User avatar
TinCanTech
Forum Team
Posts: 10814
Joined: Fri Jun 03, 2016 1:17 pm

Re: Restricting Internet access through VPN

Post by TinCanTech » Thu May 19, 2022 7:29 am

All OpenVPN provides is a VPN. Therefore, you must use iptables on the server to control access.

Think of it this way: The client can edit their config file and change anything they like ..

pacsd
OpenVpn Newbie
Posts: 5
Joined: Mon Jan 11, 2021 11:35 pm

Re: Restricting Internet access through VPN

Post by pacsd » Thu May 19, 2022 7:48 pm

TinCanTech wrote:
Thu May 19, 2022 7:29 am
All OpenVPN provides is a VPN. Therefore, you must use iptables on the server to control access.

Think of it this way: The client can edit their config file and change anything they like ..
I understand the clients can do their own changes, but they must know first what changes to do (and what IPs).
Any idea why Linux completely ignored these commands and behaved so differently compared to Windows ?

User avatar
TinCanTech
Forum Team
Posts: 10814
Joined: Fri Jun 03, 2016 1:17 pm

Re: Restricting Internet access through VPN

Post by TinCanTech » Thu May 19, 2022 8:01 pm

pacsd wrote:
Thu May 19, 2022 7:48 pm
Any idea why Linux completely ignored these commands and behaved so differently compared to Windows ?
You are mistaken. Linux does not ignore commands unless you tell it to do so.

viewtopic.php?t=22603

pacsd
OpenVpn Newbie
Posts: 5
Joined: Mon Jan 11, 2021 11:35 pm

Re: Restricting Internet access through VPN

Post by pacsd » Fri May 20, 2022 12:20 am

TinCanTech wrote:
Thu May 19, 2022 8:01 pm
You are mistaken. Linux does not ignore commands unless you tell it to do so.
I have tested on several computers and, for some reason, Linux ignores the rules.

Here is how I set the server:
---------START server config---------
mode server
port 1194
proto udp4
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem

topology subnet
push "topology subnet"
ifconfig 10.10.0.1 255.255.255.0
push "route-gateway 10.10.0.1"
ifconfig-pool 10.10.0.2 10.10.0.20 255.255.255.0
client-config-dir /etc/openvpn/server/ccd

ifconfig-pool-persist /etc/openvpn/server/ipp.txt

push "dhcp-option WINS 192.168.1.2"

crl-verify /etc/openvpn/server/crl.pem

remote-cert-tls client
cipher AES-256-GCM
auth SHA256

tls-server
tls-auth /etc/openvpn/server/ta.key 0
tls-version-min 1.2

comp-lzo
keepalive 15 120

user nobody
group nogroup
persist-key
persist-tun

verb 5

---------END server config---------

with CCD for userX as:
# Fixed IP allocation
ifconfig-push 10.10.0.24 255.255.255.0
# Server
push "route 192.168.1.2 255.255.255.255"
# Remote PC
push "route 192.168.1.24 255.255.255.255"



and here is the client
---------START client config---------
client
dev tun
remote ********* 1194 udp
float
nobind
ca ca.crt
cert userX.crt
key userX.key

remote-cert-tls server
cipher AES-256-GCM
auth SHA256
tls-client
tls-auth ta.key 1
key-direction 1
tls-version-min 1.2

comp-lzo
resolv-retry infinite
keepalive 15 120
persist-key
persist-tun
mute-replay-warnings
verb 4
mute 20

---------END client config---------

User avatar
TinCanTech
Forum Team
Posts: 10814
Joined: Fri Jun 03, 2016 1:17 pm

Re: Restricting Internet access through VPN

Post by TinCanTech » Fri May 20, 2022 6:07 am

pacsd wrote:
Fri May 20, 2022 12:20 am
I have tested on several computers and, for some reason, Linux ignores the rules
Linux does not ignore openvpn directives, unless you configure it to do so..

pacsd
OpenVpn Newbie
Posts: 5
Joined: Mon Jan 11, 2021 11:35 pm

Re: Restricting Internet access through VPN

Post by pacsd » Fri May 20, 2022 10:17 pm

TinCanTech wrote:
Fri May 20, 2022 6:07 am
Linux does not ignore openvpn directives, unless you configure it to do so..
Thank you for replying, but I'm afraid you brought nothing useful in this discussion. You must be already aware about the many bugs you can find on Linux too. I included the configs for both the server and the client: you can read them, if you haven't done it yet.

To keep it simple: if someone asks a question and you know the answer and/or you are willing to help, you take action. If you don't know OR you can't add anything useful to that conversation, you just shut up.

I'll look for an answer on other forums.

User avatar
TinCanTech
Forum Team
Posts: 10814
Joined: Fri Jun 03, 2016 1:17 pm

Re: Restricting Internet access through VPN

Post by TinCanTech » Sat May 21, 2022 1:17 am

What no Log files ..

Ciao

Post Reply