Page 1 of 1
The client can access other client without client-to-client config in server
Posted: Fri Apr 10, 2020 9:46 am
by lcgogo
I have not set the client-to-client option in server conf. However, I find the client can access the other client by curl the open port.
I think if no client-to-client option is written in server conf. The client to client access function is closed by default.
Re: The client can access other client without client-to-client config in server
Posted: Fri Apr 10, 2020 5:15 pm
by Pippin
Study this diagram:
https://community.openvpn.net/openvpn/w ... acketsFlow
With the option --client-to-client, packets are not exposed to kernel.
Therefore the firewall has no effect.
I think if no client-to-client option is written in server conf. The client to client access function is closed by default.
That depends on the firewall rules.
If want to disallow clients to "see" each other, make rules in the FORWARD chain on the tun interface.
Which rules, depends on the setup.
http://ipset.netfilter.org/iptables.man.html
Re: The client can access other client without client-to-client config in server
Posted: Mon Apr 13, 2020 6:28 am
by lcgogo
Many thanks for your clarification!
I found an example to disable the client to see each other by config the FORWARD iptables and it works fine in my openvpn server.
https://gist.github.com/Tristor/ed0f686 ... nt-2716384
Pippin wrote: ↑Fri Apr 10, 2020 5:15 pm
Study this diagram:
https://community.openvpn.net/openvpn/w ... acketsFlow
With the option --client-to-client, packets are not exposed to kernel.
Therefore the firewall has no effect.
I think if no client-to-client option is written in server conf. The client to client access function is closed by default.
That depends on the firewall rules.
If want to disallow clients to "see" each other, make rules in the FORWARD chain on the tun interface.
Which rules, depends on the setup.
http://ipset.netfilter.org/iptables.man.html