HELP! Restricting access to groups

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
curgan8
OpenVpn Newbie
Posts: 4
Joined: Thu Sep 10, 2015 9:33 am

HELP! Restricting access to groups

Post by curgan8 » Fri Sep 11, 2015 3:20 pm

Hello all,

I´m new with Openvpn and I have no much knowllege about it.
I need to create a VPN in which there are users belonging to three different groups. In this VPN, a user can only be connected to another user in the same group.

I think that is possible but I don´t Know how to implement it.

Can anyone help me?

Thanks!!!

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: HELP! Restricting access to groups

Post by Traffic » Mon Sep 14, 2015 2:12 pm

Please see this:
Configuring client-specific rules and access policies

Or setup three different VPN instances.

curgan8
OpenVpn Newbie
Posts: 4
Joined: Thu Sep 10, 2015 9:33 am

Re: HELP! Restricting access to groups

Post by curgan8 » Mon Sep 14, 2015 2:48 pm

Thanks traffic for your reply!!

Can I setup different instances in the same port?If yes, is there a limit of instances in a unique port?

Thanks again for your your help!!!

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: HELP! Restricting access to groups

Post by Traffic » Tue Sep 15, 2015 1:23 pm

No .. each instance requires a unique port or unique IP address to bind to ..

curgan8
OpenVpn Newbie
Posts: 4
Joined: Thu Sep 10, 2015 9:33 am

Re: HELP! Restricting access to groups

Post by curgan8 » Wed Sep 16, 2015 2:32 pm

Thanks again Traffic!

I follow instructions in Configuring client-specific rules and access policies. I can fix statics IP for each client but I can't restrict acces following the manual.

I want that client2 and client3 can connect to each other but not to client1. This is what I'm doing:

In the server configuration file:
server 10.8.0.0 255.255.255.0

route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0
#fixed ip addresses for my clients

client-config-dir ccd

In ccd dir:
ccd/client1
ifconfig-push 10.8.1.1 10.8.1.2

ccd/client2
ifconfig-push 10.8.2.1 10.8.2.2

ccd/client3
ifconfig-push 10.8.2.5 10.8.2.6

IPTABLES.
# client1 rules
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.8.1.0/24 -j ACCEPT

# client2 rules
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.8.2.0/24 -j ACCEPT

# client3 rules
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.8.2.0/24 -j ACCEPT


With this, it doesn't work like I need.

Can you help me?

Thanks!

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: HELP! Restricting access to groups

Post by Traffic » Wed Sep 16, 2015 4:05 pm

The HOWTO for this subject (Configuring client-specific rules and access policies) is a bad example only, to provide details of what is possible by utilizing the Server Firewall not OpenVPN itself.

*Note: Using the HOWTO requires you setup three separate server instances.
(although that is not made clear)

You must learn how IP Netmask functions and how to configure iptables correctly for it to work with your personal scenario.

In your case (Server OpenVPN /24 subnet):
curgan8 wrote:server 10.8.0.0 255.255.255.0
is not compatible with and does not include the IP addresses you are pushing to your clients (incorrectly using OpenVPN /30 subnet):
curgan8 wrote:ccd/client1
ifconfig-push 10.8.1.1 10.8.1.2

ccd/client2
ifconfig-push 10.8.2.1 10.8.2.2

ccd/client3
ifconfig-push 10.8.2.5 10.8.2.6
See --topology and --ifconfig-push in The Manual v23x and see your log files (verb 4) for errors.

*Note: iptables can accept netmask inconsistencies which OpenVPN cannot.

User avatar
hamzen
OpenVPN User
Posts: 20
Joined: Mon Sep 26, 2011 11:20 pm

Re: HELP! Restricting access to groups

Post by hamzen » Tue Mar 28, 2023 8:47 pm

Reviving this topic after 7.5 years ...

Is there any chance that current latest OVPN 2.5.1-3 server (running on a debian 11 VPS) can safely separate groups somehow with an easy parameter ? ... inside 1 instance on 1 port. (Maybe in v2.6 ? )

- What happens, if a client is changing IP manually?
( From pushed pool address (10.8.5.x/24) to an other Fix IP + subnet (10.8.1.200/16) ? )

Is it still only IPtables that prevents groups "seeing each other"?
I can not really find any full-examples other than /net30, which is already deprecated.
I know this forum is not about how to configure linux firewall, but if ovpn can not work without it safely, it would be really great to see an example about how to do it.


For example with SoftEtherVPN (https://www.softether.org/) someone can easily create any numbers of groups (which they call HUBs) and they are all separated by default because the server-kernel is safely routing all packet in the inside of it.

- Is there anything similar accomplished during the last 20 years?

User avatar
hamzen
OpenVPN User
Posts: 20
Joined: Mon Sep 26, 2011 11:20 pm

Re: HELP! Restricting access to groups

Post by hamzen » Fri Mar 31, 2023 6:37 pm

Nobody has any info?

Post Reply