Filtering client-to-client traffic in layer 2 (TAP) with OpenVPN 2.6 possible?

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
tspf
OpenVpn Newbie
Posts: 13
Joined: Tue Jan 07, 2014 8:15 am

Filtering client-to-client traffic in layer 2 (TAP) with OpenVPN 2.6 possible?

Post by tspf » Mon Feb 06, 2023 4:02 pm

Hello everybody,
first I hope this is the right section to ask this. Not sure if it needs to go into "Server Administration" instead?

So I am currently using a "plugin" in my OpenVPN server configuration to block or allow communication between different OpenVPN TAP clients. So basically I can filter which client is allowed to speak to another client. I need to filter the traffic between the clients like this:
  • Traffic between Client A and Client B is allowed
  • Traffic between Client B and Client C is allowed
  • Traffic between Client A and Client C is *not* allowed
I achieved this using the following OpenVPN server configuration and this great tutorial here: https://backreference.org/2010/06/18/op ... index.html
I also took the liberty to use the proposed C code for the plugin. My server config looks like this:

Code: Select all

local 192.168.x.y
port 443
proto tcp-server
tcp-nodelay
dev tap
mode server
tls-server
ifconfig-pool 10.10.0.2 10.10.0.254 255.255.255.0
ifconfig 10.10.0.1 255.255.255.0
client-config-dir /etc/openvpn/client-config
client-to-client
plugin /etc/openvpn/minimal_pf.so
keepalive 10 60
inactive 3600
up /etc/openvpn/up-cmd-tap
down /etc/openvpn/down-cmd-tap
client-connect /etc/openvpn/client-connect-cmd-tap
learn-address /etc/openvpn/learn-address-cmd-tap
client-disconnect /etc/openvpn/client-disconnect-cmd-tap
dh /etc/openvpn/dhparam.pem
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/OpenVPN-Server_public.pem
key /etc/openvpn/OpenVPN-Server_private.pem
tls-version-min 1.2
script-security 2
log-append /var/log/openvpn/mpaconcentrator-tap.log
verb 4
status /var/log/openvpn/mpaconcentrator-tap-status.log 10
status-version 3
The scripts utilize the features documented in "/usr/share/doc/openvpn/management-notes.txt.gz"

Code: Select all

COMMAND -- client-pf  (OpenVPN 2.1 or higher)
Together with scripts for connecting / disconnecting clients and the "pf_file" environment variable, I was able to create a client specific "packet filter policy" file and had fine grained control over which clients could talk to another.

OpenVPN 2.6 is released now and the "Packet Filtering" plugin capability been removed.
See: https://github.com/OpenVPN/openvpn/blob ... hanges.rst
PF (Packet Filtering) support has been removed
The built-in PF functionality has been removed from the code base. This feature wasn't really easy to use and was long unmaintained. This implies that also --management-client-pf and any other compile time or run time related option do not exist any longer.
Re-reading the fine manual I saw some interesting (new?) options like:

Code: Select all

--vlan-tagging
--vlan-accept
--vlan-pvid
As far as my understanding of VLAN goes, a client belongs to exactly one VLAN at a time and all clients in the same VLAN may communicate with each other.
But for my use case, I need even more fine grained control over which clients can communicate with each other.
I could put every client in its own VLAN - but as I am operating on Layer 2 (TAP) I have no idea how to allow/disallow communication between these separate VLANs.

Any hint, how I could achieve this scenario and block or allow traffic between specific clients even in OpenVPN 2.6?
I think there is no possibility (other than maintaining the code myself) to reactivate the "Packet Filtering" possibilities?
How would one achieve something similar now?

Post Reply