Specific rules and access policies for subnets

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
paulb
OpenVpn Newbie
Posts: 4
Joined: Wed Feb 03, 2021 11:20 am

Specific rules and access policies for subnets

Post by paulb » Thu Feb 04, 2021 11:04 am

Hi,

I have a VPN network 10.8.0.0 255.255.248.0. It has 8 subnets: from 10.8.0.0 to 10.8.7.0
For now, every client from any of these subnets can reach another client from any other subnet. I would like those only clients from 10.8.1.0 to be able to reach the clients from the other subnets.

I read the documentation and I understand the solution is to disable client-to-client and add rules in iptables.

Example:
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.8.3.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.3.0/24 -d 10.8.1.0/24 -j DROP

I have a few questions.

Will this solution work or it needs something in addition?
Should I better choose 10.8.0.0 as my "privileged" subnet considering that the server is 10.8.0.1?

Regards,
Paul

User avatar
Pippin
Forum Team
Posts: 992
Joined: Wed Jul 01, 2015 8:03 am

Re: Specific rules and access policies for subnets

Post by Pippin » Thu Feb 04, 2021 2:11 pm

To get an idea:
https://community.openvpn.net/openvpn/w ... acketsFlow

This also applies:
https://community.openvpn.net/openvpn/w ... gConflicts

And:
https://backreference.org/2010/05/02/co ... n-openvpn/

So yes, it comes down to the firewall rules.
Rules can be automated by, for example --learn-address / --client-connect script,.
Bit older example but useful to get an idea:
https://encodo.com/latest/developer-blo ... r-openvpn/

Another possibility is multiple instances of OpenVPN, one for each group.

paulb
OpenVpn Newbie
Posts: 4
Joined: Wed Feb 03, 2021 11:20 am

Re: Specific rules and access policies for subnets

Post by paulb » Tue Feb 16, 2021 2:44 pm

Hi Pippin,

Thanks for the links. I found them very useful.

The information from https://backreference.org/2010/05/02/co ... n-openvpn/ helped me to create the rules that I need for my server.

Best regards

Post Reply