Restricted client-client traffic

[dad311]

I have Openvpn setup and working almost perfectly. I only have one small issue to resolve.

I monitor and maintain several OpenVPN clients. All traffic originates from my local LAN (192.168.100.0) and I have blocked all traffic originating from the OpenVPN network (10.5.0.0).

My question is, how can I allow JUST ONE OpenVPN client to have full access to all other OpenVPN clients while blocking all others? This client would be used for remote monitoring while traveling.

Thanks for any help.

[gladiatr72]

Hello,

As long as you're maintaining the ipp.txt, the /30 networks assigned to your clients will not change. That being said, you can use the host firewall to block forwarding from your client network TO your client network with an exception rule for the monitoring client's IP.

-Stephen

[dad311]

gladiatr72

I have already done what you suggested with the firewall. Ive blocked all clients except one from reaching my local network, this works. My problem still remains. Because I have client-client commented out in my server.conf file, none of the VPN clients can see each other, including the one PC that I would like to see all other VPN clients.

I dont know if what I'm asking is even possible. As a work around I installed a virtual desktop machine on my local LAN running VNC. I can remotely access this machine and then see the entire network.

I think what I need is for iptables to except the one client address and then instead for forwarding the the traffic to the local LAN, send the traffic back to the VPN. I need some type of route back to the VPN for the one client.

thx

[gladiatr72]

Oh, well, yeah. You'll want to reenable client-to-client on your server.

Then add something along the lines of:

-A FORWARD -s 10.5.0.70/32 -d 10.5.0.0/24 -j ACCEPT # whatever your management systems IP is on the client network
-A FORWARD -s 10.5.0.0/24 -d 10.5.0.0/24 -j DROP

You have to be sure you're not thinking of the vpn client network as its own LAN. With client-to-client enabled, each client still has to pass packets through the tun device on the server, so you have the ability for layer-3 filtering.

-S

[dad311]

Sounds logical, but doesn't work. It seems that iptables does not affect the client-client option.

I found this http://backreference.org/2010/05/02/con ... ment-10735 article today, sounds like exactly what I need, but I cant make it work either. The article states to remove the client-client and then setup iptables to forward. I cant make the forwarding work.

Ive also found that if I do a traceroute from 10.5.0.21 > 10.5.0.25 its trying to route over the internet not the VPN server. My 10.5.0.21 route table looks like this:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.5.0.22 * 255.255.255.255 UH 0 0 0 tun0
10.5.0.1 10.5.0.22 255.255.255.255 UGH 0 0 0 tun0
192.168.100.0 10.5.0.22 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default DD-WRT 0.0.0.0 UG 0 0 0 eth0


If im pinging 10.5.0.25 , that would be on a different subnet (10.5.0.24). Do I need to push route(s) for the local VPN subnets?

[dad311]

Progress! But I have a new issue.

I added the push "route 10.6.0.0 255.255.255.0" and can control via the firewall and client-client access. However, if I try to push two routes 192.168.100.0 and 10.6.0.0. I can no longer ping the 10.6.0.0 network. Routing table hosed?

This seems to be a routing issue. Traceroute shows the routing for a VPN address going out the default route (Internet), because there is no route listed for 10.6.0.0.

How can I get a gateway of 10.6.0.0 inserted into the Clients(s)?


Below is my server.conf file.
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.6.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.100.0 255.255.255.0"
verb 3
client-config-dir ccd
cipher AES-128-CBC
tls-auth ta.key 0
comp-lzo
#Uncomment the line below to allow different clients to be able to see each other.
#client-to-client

[dad311]

I was not able to restrict clients using the posted method. Im not sure why, but it might have to-do with the fact my VPN(s) are running virtually in a OpenVZ container. However, I did find a work around. I created 3 VPNs (Family,Biz and Personal). My Personal VPN has access to everything, with no firewalls. The Family and Biz VPNs are heavily firewalled allowing mostly only traffic into the VPNs, but not out. This allows me to monitor and maintain the machines connected, without exposing my local network.

So I have three VPNs, running in OpenVZ containers under Proxmox, each using 30-40 megs of memory and almost 0 CPU. Priceless!