I have not set the client-to-client option in server conf. However, I find the client can access the other client by curl the open port.
I think if no client-to-client option is written in server conf. The client to client access function is closed by default.
The client can access other client without client-to-client config in server
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
lcgogo
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Apr 10, 2020 9:43 am
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: The client can access other client without client-to-client config in server
Study this diagram:
https://community.openvpn.net/openvpn/w ... acketsFlow
With the option --client-to-client, packets are not exposed to kernel.
Therefore the firewall has no effect.
If want to disallow clients to "see" each other, make rules in the FORWARD chain on the tun interface.
Which rules, depends on the setup.
http://ipset.netfilter.org/iptables.man.html
https://community.openvpn.net/openvpn/w ... acketsFlow
With the option --client-to-client, packets are not exposed to kernel.
Therefore the firewall has no effect.
That depends on the firewall rules.I think if no client-to-client option is written in server conf. The client to client access function is closed by default.
If want to disallow clients to "see" each other, make rules in the FORWARD chain on the tun interface.
Which rules, depends on the setup.
http://ipset.netfilter.org/iptables.man.html
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
lcgogo
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Apr 10, 2020 9:43 am
Re: The client can access other client without client-to-client config in server
Many thanks for your clarification!
I found an example to disable the client to see each other by config the FORWARD iptables and it works fine in my openvpn server.
https://gist.github.com/Tristor/ed0f686 ... nt-2716384
I found an example to disable the client to see each other by config the FORWARD iptables and it works fine in my openvpn server.
https://gist.github.com/Tristor/ed0f686 ... nt-2716384
Pippin wrote: ↑Fri Apr 10, 2020 5:15 pmStudy this diagram:
https://community.openvpn.net/openvpn/w ... acketsFlow
With the option --client-to-client, packets are not exposed to kernel.
Therefore the firewall has no effect.
That depends on the firewall rules.I think if no client-to-client option is written in server conf. The client to client access function is closed by default.
If want to disallow clients to "see" each other, make rules in the FORWARD chain on the tun interface.
Which rules, depends on the setup.
http://ipset.netfilter.org/iptables.man.html