So currently all traffic is routed through the VPN with push "redirect-gateway def1 bypass-dhcp" configured in server.conf (see below). All my users are running Macs and using the Tunnelblick client to connect, with "Route all traffic through the VPN" disabled on the client side.
I have a feature request asking me to allow access to the internal subnet via SSH and HTTP/S but NOT to change the external IP, if possible. I'm sure it is. I'm just not sure how best to accomplish it! Hoping you guys can help!
So ideally:
- All SSH tunnels through OpenVPN (needs 10.0.0.0/24 IP) when connected. Or at least when attempting to connect a 10.0.1.0/24 IP.
- HTTP/S access to internal subnet.
- HTTP/S access to internet without external IP change.
server.conf
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 10.0.0.2"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5986]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i tun+ -j ACCEPT
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri May 2 13:46:20 2014
# Generated by iptables-save v1.4.7 on Fri May 2 13:46:20 2014
*nat
:PREROUTING ACCEPT [1:42]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT