Specific rules and access policies for subnets

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
paulb
OpenVpn Newbie
Posts: 6
Joined: Wed Feb 03, 2021 11:20 am

Specific rules and access policies for subnets

Post by paulb » Thu Feb 04, 2021 11:04 am

Hi,

I have a VPN network 10.8.0.0 255.255.248.0. It has 8 subnets: from 10.8.0.0 to 10.8.7.0
For now, every client from any of these subnets can reach another client from any other subnet. I would like those only clients from 10.8.1.0 to be able to reach the clients from the other subnets.

I read the documentation and I understand the solution is to disable client-to-client and add rules in iptables.

Example:
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.8.3.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.3.0/24 -d 10.8.1.0/24 -j DROP

I have a few questions.

Will this solution work or it needs something in addition?
Should I better choose 10.8.0.0 as my "privileged" subnet considering that the server is 10.8.0.1?

Regards,
Paul

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Specific rules and access policies for subnets

Post by Pippin » Thu Feb 04, 2021 2:11 pm

To get an idea:
https://community.openvpn.net/openvpn/w ... acketsFlow

This also applies:
https://community.openvpn.net/openvpn/w ... gConflicts

And:
https://backreference.org/2010/05/02/co ... n-openvpn/

So yes, it comes down to the firewall rules.
Rules can be automated by, for example --learn-address / --client-connect script,.
Bit older example but useful to get an idea:
https://encodo.com/latest/developer-blo ... r-openvpn/

Another possibility is multiple instances of OpenVPN, one for each group.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

paulb
OpenVpn Newbie
Posts: 6
Joined: Wed Feb 03, 2021 11:20 am

Re: Specific rules and access policies for subnets

Post by paulb » Tue Feb 16, 2021 2:44 pm

Hi Pippin,

Thanks for the links. I found them very useful.

The information from https://backreference.org/2010/05/02/co ... n-openvpn/ helped me to create the rules that I need for my server.

Best regards

Post Reply