Hi,
I have a VPN network 10.8.0.0 255.255.248.0. It has 8 subnets: from 10.8.0.0 to 10.8.7.0
For now, every client from any of these subnets can reach another client from any other subnet. I would like those only clients from 10.8.1.0 to be able to reach the clients from the other subnets.
I read the documentation and I understand the solution is to disable client-to-client and add rules in iptables.
Example:
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.8.3.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.3.0/24 -d 10.8.1.0/24 -j DROP
I have a few questions.
Will this solution work or it needs something in addition?
Should I better choose 10.8.0.0 as my "privileged" subnet considering that the server is 10.8.0.1?
Regards,
Paul
Specific rules and access policies for subnets
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 6
- Joined: Wed Feb 03, 2021 11:20 am
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Specific rules and access policies for subnets
To get an idea:
https://community.openvpn.net/openvpn/w ... acketsFlow
This also applies:
https://community.openvpn.net/openvpn/w ... gConflicts
And:
https://backreference.org/2010/05/02/co ... n-openvpn/
So yes, it comes down to the firewall rules.
Rules can be automated by, for example --learn-address / --client-connect script,.
Bit older example but useful to get an idea:
https://encodo.com/latest/developer-blo ... r-openvpn/
Another possibility is multiple instances of OpenVPN, one for each group.
https://community.openvpn.net/openvpn/w ... acketsFlow
This also applies:
https://community.openvpn.net/openvpn/w ... gConflicts
And:
https://backreference.org/2010/05/02/co ... n-openvpn/
So yes, it comes down to the firewall rules.
Rules can be automated by, for example --learn-address / --client-connect script,.
Bit older example but useful to get an idea:
https://encodo.com/latest/developer-blo ... r-openvpn/
Another possibility is multiple instances of OpenVPN, one for each group.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVpn Newbie
- Posts: 6
- Joined: Wed Feb 03, 2021 11:20 am
Re: Specific rules and access policies for subnets
Hi Pippin,
Thanks for the links. I found them very useful.
The information from https://backreference.org/2010/05/02/co ... n-openvpn/ helped me to create the rules that I need for my server.
Best regards
Thanks for the links. I found them very useful.
The information from https://backreference.org/2010/05/02/co ... n-openvpn/ helped me to create the rules that I need for my server.
Best regards