OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Generell Question about built-in packet-filter

https://forums.openvpn.net/viewtopic.php?t=21149

Page 1 of 1

Generell Question about built-in packet-filter

Posted: Tue Mar 01, 2016 1:19 pm
by fistus
Hi,

in my OVPN-setups, one client - a router - connects a subnet to the VPN-network. Now I want to restrict the access of some clients (persons) to some specific IP's in that subnet.
After having some tests with pf-management and that plugin: http://backreference.org/2010/06/18/ope ... et-filter/ , witch does the same, my setup does not work.

I can control the access to external networks accessible from the server, that works well. But it would be scriptable. Much more important would be to restrict access on external networks on one of the clients.
This is very hard to script. But I still got this not to work with pf.

Is it possible at all with the built-in pf, or is it just for external server side networks?

Any help welcome

Re: Generell Question about built-in packet-filter

Posted: Tue Mar 01, 2016 2:24 pm
by Traffic
I use the backreference plugin as you do .. so, yes it does work.

See this thread:
topic17891.html

Re: Generell Question about built-in packet-filter

Posted: Tue Mar 01, 2016 2:37 pm
by fistus
You can restrict the following?

one VPN-net p.a. 192.168.1.0/24, server has 192.168.1.1

one client is a router, maybe IP 192.168.1.2
on that router ist a 2nd network, p.a. 10.0.0.0/24

another client (employeeA) has vpn-IP 192.168.1.10

You really can set a rule, employeeA can connect to 10.0.0.5, but not to 10.0.0.10?

Re: Generell Question about built-in packet-filter

Posted: Tue Mar 01, 2016 2:45 pm
by Traffic
It is difficult to fully understand your question .. but ..
fistus wrote:You really can set a rule, employeeA can connect to 10.0.0.5, but not to 10.0.0.10?
I believe so (depends very much on your complete setup) ..

employeeA packet filter may look like this:

Code: Select all

[CLIENTS DENY]
[SUBNETS DENY]
+10.0.0.5/32
[END]
but it may be easier with iptables ?

Re: Generell Question about built-in packet-filter

Posted: Tue Mar 01, 2016 3:06 pm
by fistus
My problem is, if I deny clients or a specific client, all traffic towards is dropped, no matter what subnets are blocked or not.
But if I allow the clients, the subnet-rules are not uses, so every IP in every subnet of the clients can be reached.

The Log shows this when the client is blocked, but its net and subnet are allowed:
vpn: 10.155.156.0/24
subnet to be reached behind the client "router" 192.168.100.0/24
global LAN 192.168.1.100/24

Tue Mar 1 13:49:23 2016 us=306494 falk/192.168.1.100:58800 PF: client[falk/192.168.1.100:58800] -> client[router/192.168.1.203:35456] packet dropped by BCAST packet filter
Tue Mar 1 13:49:23 2016 us=311687 falk/192.168.1.100:58800 PF: PF_ADDR_MATCH/tap_dest_addr falk ARP/10.155.156.2 ACCEPT rule=[10.155.156.0/255.255.255.0 ACCEPT]
Tue Mar 1 13:49:24 2016 us=316677 falk/192.168.1.100:58800 PF: PF_CN_DEFAULT/bcast_c2c/DEST router DROP
Tue Mar 1 13:49:24 2016 us=321728 falk/192.168.1.100:58800 PF: client[falk/192.168.1.100:58800] -> client[router/192.168.1.203:35456] packet dropped by BCAST packet filter
Tue Mar 1 13:49:24 2016 us=326692 falk/192.168.1.100:58800 PF: PF_ADDR_MATCH/tap_dest_addr falk ARP/10.155.156.2 ACCEPT rule=[10.155.156.0/255.255.255.0 ACCEPT]
Tue Mar 1 13:49:25 2016 us=314974 falk/192.168.1.100:58800 PF: PF_CN_DEFAULT/bcast_c2c/DEST router DROP

I cannot reach the client


But when I allow the clients, but block subnets:

Tue Mar 1 13:51:14 2016 us=670050 falk/192.168.1.100:58815 PF: PF_CN_DEFAULT/tap_c2c/DEST router ACCEPT
Tue Mar 1 13:51:14 2016 us=674927 falk/192.168.1.100:58815 PF: PF_CN_DEFAULT/tap_c2c/SRC falk ACCEPT
Tue Mar 1 13:51:14 2016 us=883970 router/192.168.1.203:35456 PF: PF_CN_DEFAULT/tap_c2c/DEST falk ACCEPT
Tue Mar 1 13:51:14 2016 us=888879 router/192.168.1.203:35456 PF: PF_CN_DEFAULT/tap_c2c/SRC router ACCEPT
Tue Mar 1 13:51:15 2016 us=673041 falk/192.168.1.100:58815 PF: PF_CN_DEFAULT/tap_c2c/DEST router ACCEPT
Tue Mar 1 13:51:15 2016 us=677960 falk/192.168.1.100:58815 PF: PF_CN_DEFAULT/tap_c2c/SRC falk ACCEPT
Tue Mar 1 13:51:16 2016 us=331623 router/192.168.1.203:35456 PF: PF_CN_DEFAULT/tap_c2c/DEST falk ACCEPT
Tue Mar 1 13:51:16 2016 us=336378 router/192.168.1.203:35456 PF: PF_CN_DEFAULT/tap_c2c/SRC router ACCEPT
Tue Mar 1 13:51:16 2016 us=938879 falk/192.168.1.100:58815 PF: PF_CN_DEFAULT/tap_c2c/DEST router ACCEPT
Tue Mar 1 13:51:16 2016 us=943782 falk/192.168.1.100:58815 PF: PF_CN_DEFAULT/tap_c2c/SRC falk ACCEPT
Tue Mar 1 13:51:17 2016 us=350544 router/192.168.1.203:35456 PF: PF_CN_DEFAULT/tap_c2c/DEST falk ACCEPT
Tue Mar 1 13:51:17 2016 us=355362 router/192.168.1.203:35456 PF: PF_CN_DEFAULT/tap_c2c/SRC router ACCEPT

The subnet-rules are not used. I can reach everything.

It works with subnets on the server, but not behind a client.

I tried for days, I knew your recent Post, but i don't get this to work.

my pf-configs:

router:
[clients accept]
[subnets accept]
[end]
-------------------
[clients accept]
[subnets accept]
+10.155.156.0/24
+192.168.100.0/24
-192.168.100.2
[end]


What is your setup?

Re: Generell Question about built-in packet-filter

Posted: Tue Mar 01, 2016 3:48 pm
by fistus
I tried your employeeA PF

router:

[clients accept]
[subnets accept]
[end]

employee:

[clients deny]
[subnets deny]
+192.168.100.2
[end]

log says:

Tue Mar 1 16:46:46 2016 us=625118 falk/192.168.1.100:34215 PF: PF_CN_FAULT/bcast_c2c/DEST router DROP
Tue Mar 1 16:46:46 2016 us=634314 falk/192.168.1.100:34215 PF: client[falk/192.168.1.100:34215] -> client[router/192.168.1.203:35465] packet dropped by BCAST packet filter
Tue Mar 1 16:46:46 2016 us=639250 falk/192.168.1.100:34215 PF: PF_ADDR_FAULT/tap_dest_addr falk ARP/10.155.156.2 DROP
Tue Mar 1 16:46:46 2016 us=644097 falk/192.168.1.100:34215 PF: client -> addr[ARP/10.155.156.2] packet dropped by TAP packet filter

Re: Generell Question about built-in packet-filter

Posted: Tue Mar 01, 2016 4:15 pm
by fistus
sorry it has to be drop not deny, new message in log, same result:

[clients drop]
[subnets drop]
+192.168.100.2
[end]

[clients accept]
[subnets accept]
[end]

Tue Mar 1 17:06:44 2016 us=402352 falk/192.168.1.100:34601 PF: PF_CN_DEFAULT/bcast_c2c/DEST router DROP
Tue Mar 1 17:06:44 2016 us=407185 falk/192.168.1.100:34601 PF: client[falk/192.168.1.100:34601] -> client[router/192.168.1.203:35470] packet dropped by BCAST packet filter
Tue Mar 1 17:06:44 2016 us=412028 falk/192.168.1.100:34601 PF: PF_ADDR_DEFAULT/tap_dest_addr falk ARP/10.155.156.2 DROP
Tue Mar 1 17:06:44 2016 us=416925 falk/192.168.1.100:34601 PF: client -> addr[ARP/10.155.156.2] packet dropped by TAP packet filter


And now with router as client allowed to be reached:

[clients drop]
+router
[subnets drop]
+192.168.100.2
[end]

[clients accept]
[subnets accept]
[end]

ping 192.168.100.1 works, but should not:

Tue Mar 1 17:10:11 2016 us=335198 router/192.168.1.203:35470 PF: PF_CN_DEFAULT/tap_c2c/DEST falk ACCEPT
Tue Mar 1 17:10:11 2016 us=340050 router/192.168.1.203:35470 PF: PF_CN_MATCH/tap_c2c/SRC router ACCEPT rule=[router ACCEPT]

same log output ping 192.168.100.2

Tue Mar 1 17:11:26 2016 us=255767 falk/192.168.1.100:34623 PF: PF_CN_MATCH/tap_c2c/DEST router ACCEPT rule=[router ACCEPT]
Tue Mar 1 17:11:26 2016 us=260609 falk/192.168.1.100:34623 PF: PF_CN_DEFAULT/tap_c2c/SRC falk ACCEPT


I'm clueless. I think internal PF is not able to block external IP's on a client. Server only, but this is scriptable. Unfortunately, blocking in the client it is not.

Re: Generell Question about built-in packet-filter

Posted: Fri Mar 11, 2016 8:19 am
by fistus
To bring this post to an end:

After I worked myself through the code, it is not possible to filter specific networks or IP's on client-side. You have to patch the code.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/