OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

How to limit client access to LAN addresses?

https://forums.openvpn.net/viewtopic.php?t=25710

Page 1 of 1

How to limit client access to LAN addresses?

Posted: Tue Jan 23, 2018 11:07 pm
by BobAGI
I have an RPi3B sitting at our company main office as an OpenVPN gateway.
It was installed 3 months back and has worked just fine for what it was intended for.
It serves two UDP ports on the firewall:
- One is for clients who are going to tunnel all of their traffic through OpenVPN including LAN and Internet connections.
- The other is for clients who are only accessing the LAN itself and send their Internet access via their own ISP.
Now I have a new use case, namely to allow only access to a certain range of IP addresses on our LAN
This would be used by consultants who need access to our Subversion server on an internal Windows 2016 Server machine, while they should be blocked from accessing any of the other LAN addresses.

Can this be done on a client basis or do I need a 3rd service instance on the RPi3 to handle that?
And in either case, how could it be done? What should be entered into the configuration file?

Grateful for any suggestions. I'm not very experienced in setting up Linux networking rules and such...

EDIT:
Is it possible to use this in the server.conf file for the instance that will be limited to access only the Subversion server (which uses IP 10.0.0.10):

Code: Select all

#Company local network
#push "route 10.0.0.0 255.255.255.0"
#Limited access:
push "route 10.0.0.10 255.255.255.245"
I.e. only pushing the route to the exact IP address of the server... (But I am not sure about the netmask setting, maybe it should be 255.255.255.240?)

If that works then the next problem is how to make this work for a specific client and have all others use the regular LAN route?

Re: How to limit client access to LAN addresses?

Posted: Tue Jan 23, 2018 11:54 pm
by Pippin
1.
https://openvpn.net/index.php/open-sour ... o.html#pki
2.
https://openvpn.net/index.php/open-sour ... html#scope
3.
https://openvpn.net/index.php/open-sour ... tml#policy

Re: How to limit client access to LAN addresses?

Posted: Wed Jan 24, 2018 7:49 am
by BobAGI
Thanks, #1 and #2 were already done...
(#1=Setting up certificates and keys, which I have always done. #2=Routing on the remote network also done, but cook-book-wise)

#3 looks like what I need (Configuring client-specific rules and access policies) :)

However, here I need to get a fully working example where I can see all of the IPTABLES rules for the setup with 2 classes of users:
A) Company users who can access the whole LAN plus the Internet
B) Company users who can access the whole LAN but not the Internet via the tunnel
C) Contractors who can only access a single server (the Subversion server) and nothing else (no other servers and not the Internet)
At the moment the rules on the VPN machine are (generated by sudo iptables-save > current.rules):

Code: Select all

# Generated by iptables-save v1.6.0 on Wed Jan 24 01:37:15 2018
*nat
:PREROUTING ACCEPT [1694940:187550012]
:INPUT ACCEPT [1344488:162557629]
:OUTPUT ACCEPT [4622:290864]
:POSTROUTING ACCEPT [4622:290864]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jan 24 01:37:15 2018
# Generated by iptables-save v1.6.0 on Wed Jan 24 01:37:15 2018
*filter
:INPUT ACCEPT [32109526:6654316300]
:FORWARD ACCEPT [52714728:9544666457]
:OUTPUT ACCEPT [26652645:6488894070]
COMMIT
# Completed on Wed Jan 24 01:37:15 2018
As you see there are only two rules and these concern networks 10.8.0.0/24 and 10.8.1.0/24 respeciively.
I have two OpenVPN instances running on different ports and both will set up LAN-wide access while only one will set up Internet routing.
There is currently no setup to handle limiting of access based on login common name or similar.

My Linux "expertise" is limited, I can do basic stuff, but networking and firewalls are not my best....

Re: How to limit client access to LAN addresses?

Posted: Fri Jan 26, 2018 9:54 am
by BobAGI
HOPING FOR A REPLY TO THIS SIMPLIFIED QUESTION:
Regarding usage of the client-specific configuration files I find it a bit hard to understand how it actually works...

Will the content of a client-specific conf file replace the server conf file totally, or will it just replace the items in the server.conf file which match by name?
I.e. do I just enter the commands into the client conf file which differ from the main server.conf file and these will override the server.conf file such that any ccd command found will replace the same command in the server.conf file?

Suppose a ccd directory is created and activated by the server.conf command:

Code: Select all

client-config-dir ccd
Then I create a ccd/clientname.conf file and I put for example this into it:

Code: Select all

server 10.8.19.0 255.255.255.0
In the server.conf file this line is set to:

Code: Select all

server 10.8.1.0 255.255.255.0
If clientname connects, will he then use subnet 10.8.19.0/24?
And any other client which name is not matching a ccd file will use 10.8.1.0/24?

I am uncertain how it actually works, say that we have created 20-some client certificate files with different common names.
Only a few of these need special handling.
Now, do I have to put a conf file for each of these into the ccd directory?
What will happen if a client is not provided such a ccd file? Will he be refused or will he be connected using only the server-conf file?

And for those that I do want to have limited connectivity (contractors for example), do I just put replacement directives into the ccd/clientname.conf file?

Re: How to limit client access to LAN addresses?

Posted: Fri Jan 26, 2018 1:19 pm
by TinCanTech
BobAGI wrote:
Fri Jan 26, 2018 9:54 am
 Then I create a ccd/clientname.conf file
Unless your client CN is clientname.conf this will not work. The file must be named clientname only.

You cannot use --server in a CCD file ..

Try using --ccd-exclusive .. see the manual for an explanation.

Re: How to limit client access to LAN addresses?

Posted: Fri Jan 26, 2018 1:47 pm
by BobAGI
I should have explained better...
"Then I create a ccd/<clientname>.conf file"
I know that the file is to be named after the common name of the certificate, but then it does not say if it is <CN>.conf or simply <CN>.
Not clear to me.

I have also tried to locate an OpenVPN manual for download, but failed.
Where can I find the OpenVPN_2.4.pdf manual file?
Here there seems only to be an image of the Linux man page for openvpn, pretty difficult to read.
Compare to the Subversion manual available in pdf format....

All I find when googling regarding ccd usage is a plethora of posts in various forums, often marked as off-topic and not answered...
And many date back almost 10 years so are not really valid for 2.4 either.

Is there an OpenVPN "newbie" or "for dummies" forum somewhere, where questions are actually answered without flames?

Re: How to limit client access to LAN addresses?

Posted: Fri Jan 26, 2018 1:56 pm
by TinCanTech
BobAGI wrote:
Fri Jan 26, 2018 1:47 pm
 I should have explained better...
"Then I create a ccd/<clientname>.conf file"
I know that the file is to be named after the common name of the certificate, but then it does not say if it is <CN>.conf or simply <CN>.
Not clear to me.
TinCanTech wrote:
Fri Jan 26, 2018 1:19 pm
 Unless your client CN is clientname.conf this will not work. The file must be named clientname only
Clear now .. ?
TinCanTech wrote:
Fri Jan 26, 2018 1:19 pm
 Try using --ccd-exclusive .. see the manual for an explanation.
Useful debugging tool ..
BobAGI wrote:
Fri Jan 26, 2018 1:47 pm
 I have also tried to locate an OpenVPN manual for download, but failed.
The Manual v24x
BobAGI wrote:
Fri Jan 26, 2018 1:47 pm
 Is there an OpenVPN "newbie" or "for dummies"
HOWTO: For OpenVPN Community Edition

Re: How to limit client access to LAN addresses?

Posted: Sat Jan 27, 2018 9:29 am
by BobAGI
After continuing trying to understand how it should be set up by reading the HOWTO and numerous forum posts I have now done as follows:
1) enabled the ccd dir in server.conf:

Code: Select all

client-config-dir /etc/openvpn/ccd
2) Created the /etc/openvpn/ccd directory

Code: Select all

sudo mkdir /etc/openvpn/ccd
3) Created a client file ExampleUser in the ccd dir

Code: Select all

cd ccd
sudo touch ExampleUser
4) Set owner of the ccd dir as openvpn

Code: Select all

cd /etc/openvpn
sudo chown -R openvpn ccd
ls -l
total 56
drwxr-xr-x 2 openvpn root  4096 Jan 27 02:56 ccd
5) Edited the client file and put the following into it:

Code: Select all

ifconfig-push 10.9.0.6 10.9.0.5
Notes:
4: The order of the IP address pair must be reversed compared to the HOWTO according to this post.
5: I used the second pair in order not to mess with 1-2, which could be reserved...

Next I want to modify the IPTABLES such that the user ExampleUser will ONLY be allowed to access server 10.0.0.10.
Right now I have the following in the iptables(10.8.0.0/24 is for the server allowing Internet, 10.8.1.0/24 is for the server allowing only LAN access):

Code: Select all

sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.0.0/24          anywhere
MASQUERADE  all  --  10.8.1.0/24          anywhere
What is the correct iptables command to add a rule that limits the access from subnet 10.9.0.0/24 to reach only 10.0.0.10?

My current server.conf file looks like this:
server.conf

port 1198
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/AGIVPN.crt
key /etc/openvpn/easy-rsa/keys/AGIVPN.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp2.txt
push "route 10.0.0.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 20
user openvpn
group nogroup
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status2.log
log /etc/openvpn/log/openvpn2.log
verb 4
explicit-exit-notify 1

Re: How to limit client access to LAN addresses?

Posted: Sat Jan 27, 2018 10:21 am
by Pippin
5) Your server says:

Code: Select all

topology subnet
server 10.8.1.0 255.255.255.0
That`s good.

Your ccd file says:

Code: Select all

ifconfig-push 10.9.0.6 10.9.0.5
That`s not for topology subnet, please read here:
https://community.openvpn.net/openvpn/wiki/Topology

Code: Select all

The order of the IP address pair must be reversed compared to the HOWTO
Correct, is mistake in doc.

For topology subnet:
10.8.1.0 - Network
10.8.1.1 - Server IP
10.8.1.254 - DHCP
10.8.1.255 - Broadcast
So usable client tunnel IP addresses are 10.8.1.2 - 10.8.1.253

First get the basic going/understanding...

Re: How to limit client access to LAN addresses?

Posted: Sat Jan 27, 2018 12:38 pm
by BobAGI
Pippin wrote:
Sat Jan 27, 2018 10:21 am
 5) Your server says:

Code: Select all

topology subnet
server 10.8.1.0 255.255.255.0
That`s good.

Your ccd file says:

Code: Select all

ifconfig-push 10.9.0.6 10.9.0.5
That`s not for topology subnet, please read here:
https://community.openvpn.net/openvpn/wiki/Topology
This is somewhat of black magic to me...
Do you mean that I should have this in the client file instead:

Code: Select all

ifconfig-push 10.9.0.2 255.255.255.0
Meanwhile I discovered that I made a mistake in the server conf file. I am using the example server.conf file that comes with openvpn.
The comments there said I should enable the ccd, which I did, but also that I should enable the route, which I missed, so after I found this and corrected it the contents of the server.conf file for ccd reads like this:

Code: Select all

client-config-dir /etc/openvpn/ccd
route 10.9.0.0 255.255.255.252
But now I am getting really worried because the netmask 252 only has space for three addresses 1..3!
This would make it totally impossible to route a client with addresses ending in 5 or 6, right!
What gives here, is the documentation again misleading? What is correct here?

Code: Select all

The order of the IP address pair must be reversed compared to the HOWTO
Correct, is mistake in doc.

For topology subnet:
10.8.1.0 - Network
10.8.1.1 - Server IP
10.8.1.254 - DHCP
10.8.1.255 - Broadcast
So usable client tunnel IP addresses are 10.8.1.2 - 10.8.1.253
But is the IP table in the HOWTO wrong then? It lists different pairs to use and no others...
First get the basic going/understanding...
Basic understanding I think I have but this seems not to be basic, really, I am trying to make 1-4 clients only able to access the server 10.0.0.10 while all other should continue working as before.
Another issue is that I am working on the server via its OpenVPN, in actual fact the server sits 8400 km away from me.
It is working just fine for the intended internal use where the clients would have access to all of the internal LAN.
But I need to modify it to support the connection from a contractor, who should only be able to talk to the Subversion server PC.

So by the looks of it I have to:
- Use ccd to give the special client different tunnel IP addresses
- configure routing such that OpenVPN knows how to handle this client
- configure IPTABLES on the server to enable communication with a single server (this is my main "understanding" hurdle...

To me that means giving the client an address in the range 10.9.0.0 rather than 10.8.0.0 or 10.8.1.0 as the current setup does.
The best would be to use ccd such that if a client is not listed he will not see any difference at all from earlier, while the limited clients, who are given 10.9.0.0 addresses will be limited to the specific server.
I understand it such that if not mentioned in a client file a client gets its configuration according to the main server conf file, right?

So I have to configure everything correctly (or at least such that it will still work for the current setup) before I restart openvpn, otherwise I will lose connectivity and will have problems getting it back....

Re: How to limit client access to LAN addresses?

Posted: Sat Jan 27, 2018 2:32 pm
by BobAGI
Correction:
I now found the note on ccd settings in the Topology Subnet topic in the linked page.
So I have changed the ccd entry to this:

Code: Select all

ifconfig-push 10.9.0.2 255.255.255.0
I guess this means the client will get this IP while the tunnel server endpoint gets 10.9.0.1?

Please advice on how to set the IPTABLES correctly.....

Re: How to limit client access to LAN addresses?

Posted: Sat Jan 27, 2018 5:24 pm
by BobAGI
I found a clone of the actual OpenVPN server that I can reconfigure over here and use on my own LAN...
So I got it running and configured these items (only modified/added lines shown):
server.conf:

Code: Select all

#the server line defines the server DHCP assigned addresses:
server 10.8.1.0 255.255.255.0
#This opens the system for using ccd files for individual client configuration
client-config-dir /etc/openvpn/ccd
#I need a route for the specific limited access clients via ccd files?
route 10.9.0.0 255.255.255.0
I created the file /etc/openvpn/BosseB_AGI and put this into it:

Code: Select all

ifconfig-push 10.9.0.2 255.255.255.0
I also changed owner to the whole ccd dir with contents:

Code: Select all

sudo chown -R openvpn ./ccd
Lastly I ran this iptables command in the hope it would make the routing into the LAN work for the selected server:

Code: Select all

sudo iptables -A FORWARD -i eth0 -s 10.9.0.0/24 -d 192.168.119.241 -j ACCEPT
Then I used my phone to connect via OpenVPN and it connected like it used to before.
In the status window I could see that I now have IP address 10.9.0.2
So far so good, but:
I tried accessing the webserver on 192.168.119.241, but it timed out.
This is what I found in the logfile on the server, notice the error on line #5:

Code: Select all

Sat Jan 27 10:50:43 2018 us=949360 95.204.48.173:54803 peer info: IV_AUTO_SESS=1
Sat Jan 27 10:50:43 2018 us=980760 95.204.48.173:54803 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jan 27 10:50:43 2018 us=980850 95.204.48.173:54803 [BosseB_AGI] Peer Connection Initiated with [AF_INET]95.204.48.173:54803
Sat Jan 27 10:50:43 2018 us=980966 BosseB_AGI/95.204.48.173:54803 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/BosseB_AGI
Sat Jan 27 10:50:43 2018 us=981203 BosseB_AGI/95.204.48.173:54803 MULTI ERROR: primary virtual IP for BosseB_AGI/95.204.48.173:54803 (10.9.0.2) violates tunnel network/netmask constraint (10.8.1.0/255.255.255.0)
Sat Jan 27 10:50:43 2018 us=981258 BosseB_AGI/95.204.48.173:54803 MULTI: Learn: 10.9.0.2 -> BosseB_AGI/95.204.48.173:54803
Sat Jan 27 10:50:43 2018 us=981302 BosseB_AGI/95.204.48.173:54803 MULTI: primary virtual IP for BosseB_AGI/95.204.48.173:54803: 10.9.0.2
Sat Jan 27 10:50:43 2018 us=985888 BosseB_AGI/95.204.48.173:54803 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jan 27 10:50:43 2018 us=986003 BosseB_AGI/95.204.48.173:54803 SENT CONTROL [BosseB_AGI]: 'PUSH_REPLY,route 192.168.119.0 255.255.255.0,route-gateway 10.8.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.9.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Sat Jan 27 10:50:43 2018 us=986067 BosseB_AGI/95.204.48.173:54803 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Sat Jan 27 10:50:43 2018 us=986401 BosseB_AGI/95.204.48.173:54803 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jan 27 10:50:43 2018 us=986446 BosseB_AGI/95.204.48.173:54803 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
So it seems to be a problem to run specific clients outside the server's DHCP IP range!
Is there some way to limit the scope of DHCP so that there could be other free addresses for the limited clients to use in the ccd?
I looked in the manual and found only this regarding server:
--server network netmask ['nopool']
A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface.

For example, --server 10.8.0.0 255.255.255.0 expands as follows:

mode server
tls-server
push "topology [topology]"

if dev tun AND (topology == net30 OR topology == p2p):
ifconfig 10.8.0.1 10.8.0.2
if !nopool:
ifconfig-pool 10.8.0.4 10.8.0.251
route 10.8.0.0 255.255.255.0
if client-to-client:
push "route 10.8.0.0 255.255.255.0"
else if topology == net30:
push "route 10.8.0.1"

if dev tap OR (dev tun AND topology == subnet):
ifconfig 10.8.0.1 255.255.255.0
if !nopool:
ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
push "route-gateway 10.8.0.1"
if route-gateway unset:
route-gateway 10.8.0.2
where 'nopool' is not really described..
It seems like one can switch off DHCP altogether by using the 'nopool' switch but there seems to be no way to set a limited range...
Is there really no way to set the pool of DHCP addresses to for instance 2..127 leaving 128..253 free?
Or how else would one approach this problem?

Re: How to limit client access to LAN addresses?

Posted: Sat Jan 27, 2018 8:17 pm
by Pippin
You configured your server to have this subnet (tunnel subnet):

Code: Select all

server 10.8.1.0 255.255.255.0
but your ccd file says:

Code: Select all

ifconfig-push 10.9.0.2 255.255.255.0
If you read my previous post, I underlined tunnel IP to hint.
So it should be:

Code: Select all

ifconfig-push 10.8.0.2 255.255.255.0
The next client:

Code: Select all

ifconfig-push 10.8.0.3 255.255.255.0
And so on. Those IP`s are based on clients common name you set in their certificate.

Code: Select all

I guess this means the client will get this IP while the tunnel server endpoint gets 10.9.0.1?
Correct, except for 9 should be 8. Client IP`s must be within the tunnel subnet.
The four addresses mentioned before cannot be used for clients.

The --route directive in the server config is for the server side LAN, 255.255.255.0 is correct assuming your LAN is that.

Once you have a correct OpenVPN configuration, the rest is routing and firewall.
Study the diagram for a better understanding:
https://ibb.co/c07HJb

Code: Select all

this is my main "understanding" hurdle...
Not meant in a bad way but I disagree ;)
In my opinion it`s not time to worry about iptables but if you want to read already:
https://www.netfilter.org/documentation/
Maybe you`re going too quickly, too much simultaneously, making it more complicated to understand.

Can you post your complete current config of server, client, ccd, server side LAN subnet and it`s gateway.
Only remove the --remote x.x.x.x directive from your client config.

And take time to read provided pages even if have to read it 10 times.....

Re: How to limit client access to LAN addresses?

Posted: Sat Jan 27, 2018 9:06 pm
by BobAGI
Thanks,
I have gotten further by assuming that if one uses this in server.conf:

Code: Select all

topology subnet
server 10.8.0.0 255.255.255.0 'nopool' 
ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0
Then the ccd file can use this:

Code: Select all

ifconfig-push 10.8.0.130 255.255.255.0
And now I basically have a tunnel that will DHCP between ...2 and ...127
at the same time as I have ccd clients that can be assigned manual addresses above ...128
all in the same subnet.
Oh, there is a little bit of confusion here between the server nets 10.8.0.0/24 and 10.8.1.0/24 in my writings, and that is because I run two servers on different UDP ports, one is ONLY serving the local LAN and the other is in addition providing tunneling of the Internet.
These use the two subnets in order not to collide and the IPTABLES has a NAT entry for each.
I will probably have to arrange for a separate ccd directory for these two...

What I need now is to fix the IPTABLES stuff such that clients with addresses in range 10.8.0.2-127 and 10.8.1.2-127 should work as before with full access to the LAN and in the case of the 10.8.1 net also to the Internet while clients with high addresses in both networks should be blocked from both the Internet and the LAN except for a specific list of LAN servers.

But it is now late so I have to retire and I will provide what you asked for tomorrow morning (I am in Europe and the OpenVPN server is in the USA).

Re: How to limit client access to LAN addresses?

Posted: Sun Jan 28, 2018 12:03 am
by BobAGI
Decided to collect the info after all before sleeping.
Will read pages tomorrow.

Here are the two conf files without comments, note that the serverlocal is used by an openvpn instance which only allows clients to access the LAN and not the Internet (a split tunnel config), whereas the serverweb.conf file is also channeling web traffic via the tunnel.
Currently they share the ccd directory, which is probably not good...:
serverlocal.conf
port 1198
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/AGIVPN.crt
key /etc/openvpn/easy-rsa/keys/AGIVPN.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.1.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.1.2 10.8.1.127 255.255.255.0
ifconfig-pool-persist ipp2.txt
push "route 10.0.0.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 20
user openvpn
group nogroup
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status2.log
log /etc/openvpn/log/openvpn2.log
verb 4
explicit-exit-notify 1

serverweb.conf
port 1199
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/AGIVPN.crt
key /etc/openvpn/easy-rsa/keys/AGIVPN.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 20
user openvpn
group nogroup
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status.log
log /etc/openvpn/log/openvpn.log
verb 4
explicit-exit-notify 1

And here is the ccd file for the client who will only be granted access to a single server on the LAN and therefore has to get a known IP address. As you can see it uses a network handled by serverlocal (and the name is actually my own Common Name for testing purposes):

Code: Select all

File name = ccd/BosseB_AGI
ifconfig-push 10.8.1.130 255.255.255.0
And the corresponding ovpn file:
BosseB_AGI.ovpn

client
dev tun
proto udp
remote vpn.xxxxx.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
next follow the certificates and keys

Server side network configuration (edited out statistics and loopback/wifi adapters):
Gateway is not listed but is 10.0.0.1/24

Code: Select all

ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.235  netmask 255.255.255.0  broadcast 10.0.0.255

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.1.1  netmask 255.255.255.0  destination 10.8.1.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
Currently IPTABLES are empty except for the nat table:

Code: Select all

----- table nat ------
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
That's about it.
I can connect as it is and I am getting the IP address set in the ccd file, so that part seems to work.
But right now I have full access to the local LAN, which is what I want to limit.

Re: How to limit client access to LAN addresses?

Posted: Sun Jan 28, 2018 1:38 pm
by BobAGI
Back again,
and now I have found an old post that gave me a clue:
Limiting incoming VPN client to the single local address
After reading this I tested on my home VPN as follows:

Code: Select all

sudo iptables -I FORWARD 1 -s 10.8.1.211 ! -d 192.168.119.241 -j DROP
This rule will drop everything from the specific client address except if the destination is the allowed server.

Now when I connect I can reach the server on address 192.168.119.241 but not the other servers I have on the LAN.
After disconnecting and connecting using a different VPN profile I could reach all of the tested servers.
So it seems like a variation of the above filter setting might work on the target server too.

[SOLVED] How to limit client access to LAN addresses?

Posted: Sun Jan 28, 2018 11:31 pm
by BobAGI
Verified, it does work.
I have set the DHCP range to cover 2..127 of the /24 subnet leaving 129..253 usable for the ccd clients to get a fixed address from.
In server.conf:

Code: Select all

topology subnet
server 10.8.1.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.1.2 10.8.1.127 255.255.255.0
client-config-dir /etc/openvpn/ccdl
Then I have set a filter in IPTABLES like this:

Code: Select all

iptables -A FORWARD -s 10.8.0.128/25 ! -d 10.0.0.10/32 -j DROP
iptables -A FORWARD -s 10.8.1.128/25 ! -d 10.0.0.10/32 -j DROP
As you can see the rules are specific to the address range 129..255 for the client, which means that I don't have to put a new rule in place for each such client. DHCP clients will not be affected.
As long as the IP address in the client ccd file is managed so it comes from the upper half of the last byte, then the only thing needed is to create the certificates/keys/ovpn files and then also set a fixed IP address for that client in the ccd dir.
Looks like I am done, unless someone here can find a flaw in the configuration.

Re: How to limit client access to LAN addresses?

Posted: Mon Jan 29, 2018 2:24 pm
by Pippin
Progress, chapeau :)
So basically, route full networks, then use firewall rules to control access.

You could also control which ports are allowed to the LAN server and/or firewall on the LAN server as well, double stitched.....

Current chain policy is ACCEPT, look into that too. Rules will be different changing to chain policy DROP.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/