This forum is for general conversation and user-user networking.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
fanfan_2a
- OpenVpn Newbie
- Posts: 5
- Joined: Sun Sep 23, 2018 7:03 pm
Post
by fanfan_2a » Wed Dec 16, 2020 9:44 am
Hi !
My server is configured with client-to-client parameter, and my clients have different networks (10.1.1.0/24 to 10.1.5.0/24). Traffic between sites works very well but I would like to block traffic from one site (10.1.5.0/24)
I've tried :
Code: Select all
iptables -A FORWARD -i tun0 -s 10.1.5.0/24 -d 10.1.0.0/16 -j DROP
but it doesn't work. Can I do this restriction with iptables ?
Or do I have to disable client-to-client and set manually connections between sites with iptables ?
Thanks
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Wed Dec 16, 2020 12:59 pm
Firewall is basically off topic but the tip is, do not use client-to-client.
Maybe helpful:
https://community.openvpn.net/openvpn/w ... acketsFlow
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Wed Dec 16, 2020 4:30 pm
--client-to-client allows openvpn server to route between clients without passing through the kernel.
If you need to add firewall rules to filter specific traffic between clients then you must not use --client-to-client.
Client to server is not effected by --client-to-client.
Firewall rules are much more complicated.
-
fanfan_2a
- OpenVpn Newbie
- Posts: 5
- Joined: Sun Sep 23, 2018 7:03 pm
Post
by fanfan_2a » Wed Dec 16, 2020 11:09 pm
ok thanks for the replies, i'm gonna work on it