How to allow only 1 client to "see" all others

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dboss
OpenVpn Newbie
Posts: 3
Joined: Fri May 13, 2011 6:37 am

How to allow only 1 client to "see" all others

Post by dboss » Fri May 13, 2011 6:44 am

Hi,

I've recently installed an OpenVPN server, with the below configuration.

Code: Select all

port 1194
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.10.0 255.255.255.0"
push "route 10.9.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
client-config-dir ccd
route 10.9.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
The regular clients receive their IP from this subnet : 10.8.0.0/24
and the "Admin" client gets his IP from his file in /etc/openvpn/ccd (its in the 10.9.0.0./24 subnet).

I'd like to allow only the "admin" client to be able to communicate with all the other clients (i.e. ping, ssh, rdp and so on...),
but not allowing the "regular" clients to communicate with each other (like the default conf)

anyway, I've tried to play with iptables to achive that, but i can't get it right.

please help :)
many thanks in advance.
Top
User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:
Contact maikcat

Re: How to allow only 1 client to "see" all others

Post by maikcat » Fri May 13, 2011 10:26 am

hi there,

AFAIK when client-to-client is enabled the traffic between
clients cant handled with iptables....

i am not sure that you can accomplish this.

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"
Top
dboss
OpenVpn Newbie
Posts: 3
Joined: Fri May 13, 2011 6:37 am

Re: How to allow only 1 client to "see" all others

Post by dboss » Fri May 13, 2011 10:42 am

well that's the point.
i don't want to use "client-to-client" because it makes all clients see all the others.
any other ideas ? (and thanks for your reply anyway of course, any help is appreciated)
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: How to allow only 1 client to "see" all others

Post by janjust » Fri May 13, 2011 10:43 am

if 'client-to-client' is enabled you bypass all iptables rules, so this you don't want.
when assigning an IP from a different block then the 'server' block to a client you need to make sure that routing still works. I don't recommend to use

Code: Select all

server 10.8.0.0 255.255.255.0
and an admin range of 10.9.0.X but I'd use

Code: Select all

server 10.0.8.0 255.255.254.0
and an admin range of 10.0.9.X

first make sure all clients can see each other, including the admin client.
Then enable forwarding on the server and set up iptables rules to block connections between VPN clients except for the admin client. This is, BTW, explained in my book ;)
Top
Post Reply

Return to “Server Administration”