HELP! Restricting access to groups

[curgan8]

Hello all,

I´m new with Openvpn and I have no much knowllege about it.
I need to create a VPN in which there are users belonging to three different groups. In this VPN, a user can only be connected to another user in the same group.

I think that is possible but I don´t Know how to implement it.

Can anyone help me?

Thanks!!!

[Traffic]

Please see this:
Configuring client-specific rules and access policies

Or setup three different VPN instances.

[curgan8]

Thanks traffic for your reply!!

Can I setup different instances in the same port?If yes, is there a limit of instances in a unique port?

Thanks again for your your help!!!

[Traffic]

No .. each instance requires a unique port or unique IP address to bind to ..

[curgan8]

Thanks again Traffic!

I follow instructions in Configuring client-specific rules and access policies. I can fix statics IP for each client but I can't restrict acces following the manual.

I want that client2 and client3 can connect to each other but not to client1. This is what I'm doing:

In the server configuration file:
server 10.8.0.0 255.255.255.0

route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0
#fixed ip addresses for my clients

client-config-dir ccd

In ccd dir:
ccd/client1
ifconfig-push 10.8.1.1 10.8.1.2

ccd/client2
ifconfig-push 10.8.2.1 10.8.2.2

ccd/client3
ifconfig-push 10.8.2.5 10.8.2.6

IPTABLES.
# client1 rules
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.8.1.0/24 -j ACCEPT

# client2 rules
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.8.2.0/24 -j ACCEPT

# client3 rules
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.8.2.0/24 -j ACCEPT


With this, it doesn't work like I need.

Can you help me?

Thanks!

[Traffic]

The HOWTO for this subject (Configuring client-specific rules and access policies) is a bad example only, to provide details of what is possible by utilizing the Server Firewall not OpenVPN itself.

*Note: Using the HOWTO requires you setup three separate server instances.
(although that is not made clear)

You must learn how IP Netmask functions and how to configure iptables correctly for it to work with your personal scenario.

In your case (Server OpenVPN /24 subnet):

server 10.8.0.0 255.255.255.0

is not compatible with and does not include the IP addresses you are pushing to your clients (incorrectly using OpenVPN /30 subnet):

ccd/client1
ifconfig-push 10.8.1.1 10.8.1.2

ccd/client2
ifconfig-push 10.8.2.1 10.8.2.2

ccd/client3
ifconfig-push 10.8.2.5 10.8.2.6

See --topology and --ifconfig-push in The Manual v23x and see your log files (verb 4) for errors.

*Note: iptables can accept netmask inconsistencies which OpenVPN cannot.

[hamzen]

Reviving this topic after 7.5 years ...

Is there any chance that current latest OVPN 2.5.1-3 server (running on a debian 11 VPS) can safely separate groups somehow with an easy parameter ? ... inside 1 instance on 1 port. (Maybe in v2.6 ? )

- What happens, if a client is changing IP manually?
( From pushed pool address (10.8.5.x/24) to an other Fix IP + subnet (10.8.1.200/16) ? )

Is it still only IPtables that prevents groups "seeing each other"?
I can not really find any full-examples other than /net30, which is already deprecated.
I know this forum is not about how to configure linux firewall, but if ovpn can not work without it safely, it would be really great to see an example about how to do it.


For example with SoftEtherVPN (https://www.softether.org/) someone can easily create any numbers of groups (which they call HUBs) and they are all separated by default because the server-kernel is safely routing all packet in the inside of it.

- Is there anything similar accomplished during the last 20 years?

[hamzen]

Nobody has any info?