Access policies

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
sitlar
OpenVpn Newbie
Posts: 2
Joined: Wed May 08, 2019 12:20 am

Access policies

Post by sitlar » Wed May 08, 2019 1:51 am

There are "secure" and "insecure" clients in my VPN (10.8.0.0/24). Now all the clients have access to each other. To improve security I need to restrict access to all but one peer (10.8.0.6) for "insecure" clients, while the "secure" clients should retain access the entire subnet (10.8.0.0/24).

I was following the instructions in Configuring client-specific rules and access policies, but can't make it work: somehow all requests to 10.8.0.6 from 10.8.1.0/24 are timed out.

To make things worse, the access to existing client configs is very limited, and I can't change the IP address of 10.8.0.6

Server Config

port 1194
proto tcp6
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
route 10.8.1.0 255.255.255.0
client-config-dir ccd


ccd/insecure0:
Server-side client config

ifconfig-push 10.8.1.1 10.8.1.2
route 10.8.0.6 255.255.255.255
iroute 10.8.0.6 255.255.255.255


Client config

client
dev tun
proto tcp
remote ********************
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3

ca ca.crt
cert insecure0.crt
key insecure0.key

Code: Select all

/etc/openvpn# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.8.1.0/24          10.8.0.6
ACCEPT     all  --  10.8.0.6             10.8.1.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
/etc/openvpn#

sitlar
OpenVpn Newbie
Posts: 2
Joined: Wed May 08, 2019 12:20 am

Re: Access policies

Post by sitlar » Thu May 16, 2019 12:34 pm

I have some progress. It turned out, that I shouldn't have added the "route..." and "iroute..." lines in ccd/insecure0

Now I can access 10.8.0.6, however there is no access between insecure clients (no routing inside 10.8.1.0/24) even if I add forwarding policy to iptables on the OpenVPN server.

Post Reply