Restricting all network traffic while a client is connected

[testudo]

Hi,

I would like to set up my OVPN server so that, when the client is connected, they can't access any IP addresses that are off the VPN. Ideally I'd like to be able to set this on a client-by-client basis, as there are only a handful of them which I'd actually like to be restricted.

I've looked at the redirect-gateway flag, but I'm not sure this is exactly what I want, and it's marked in the manual (at least as of 2.1) as experimental. Is there a best practice or guide that I could follow to do this? Or am I totally off-base in thinking this is possible?

Thanks.

[testudo]

After playing around some more, it seems to work by adding this to the client config files:

Code: Select all

push "redirect-gateway def1"

But I'm still curious to hear whether this is a good/bad idea or whether there's a better way.

[janjust]

the "redirect-gateway" option is not experimental, but the "def1" parameter is new/experimental for OpenVPN 2.1; the man page is slightly outdates, as nowadays it is recommend to always use "def1".

You can redirect all traffic for a particular client using either a 'client-connect' script or by using a 'client-configuration' file (aka CCD file). Using a CCD file is probably the easiest:
* add the option 'client-config-dir <absolute-path-to-directory>' to your server config
* in this directory create a file with the name (and NO extension) of the client certificate (e.g. 'client1' or 'John_Doe') ; in this file, add 'push "redirect-gateway def1"'

[testudo]

janjust, thanks for the explanation about the def1 parameter being experimental. Using CCD files to push redirect-gateway is the approach I ended up using which made it really easy to restrict the client access to just the OpenVPN subnet.

Now I'm trying to further restrict these clients to only be able to access the server machine, not other clients (the global client-to-client parameter is enabled for the server). I'd love to find a way to do this that didn't involve learning iptables.

Any suggestions?

[janjust]

the server does not need 'client-to-client', that is needed purely to enable clients to see each other (without going through any filtering!).
There is a filter plugin that you can try to filter traffic between clients, but in my opinion it's much easier to use iptables for this (syntax-wise as well, and I need to know iptables for other stuff anyways). The filter is experimental and is not part of the regular openvpn distribution.