Restricting Internet access through VPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 11, 2021 11:35 pm
Restricting Internet access through VPN
Requirements:
- users should access only some IPs from the LAN, but their Internet traffic should not be redirected through VPN.
Implementation without using iptables for future flexibility :
topology subnet
push "topology subnet"
ifconfig 10.10.0.1 255.255.255.0
push "route-gateway 10.10.0.1"
client-config-dir /etc/openvpn/server/ccd
# Making sure to comment redirect-gateway
;push "redirect-gateway def1 bypass-dhcp"
;push "redirect-gateway def1"
;push "redirect-gateway local def1"
#CCD file for USER1
# Fixed IP allocation
ifconfig-push 10.10.0.21 255.255.255.0
# Server
push "route 192.168.1.2 255.255.255.255"
# Printer
push "route 192.168.1.55 255.255.255.255"
Problem:
Everything works well on Windows computers and they can access only the pushed routes BUT the Linux computers completely ignore these rules and they can access the entire LAN and redirect all their traffic (Internet included) through VPN.
Does anyone know why it happens and how could be fixed ? Thank you.
- users should access only some IPs from the LAN, but their Internet traffic should not be redirected through VPN.
Implementation without using iptables for future flexibility :
topology subnet
push "topology subnet"
ifconfig 10.10.0.1 255.255.255.0
push "route-gateway 10.10.0.1"
client-config-dir /etc/openvpn/server/ccd
# Making sure to comment redirect-gateway
;push "redirect-gateway def1 bypass-dhcp"
;push "redirect-gateway def1"
;push "redirect-gateway local def1"
#CCD file for USER1
# Fixed IP allocation
ifconfig-push 10.10.0.21 255.255.255.0
# Server
push "route 192.168.1.2 255.255.255.255"
# Printer
push "route 192.168.1.55 255.255.255.255"
Problem:
Everything works well on Windows computers and they can access only the pushed routes BUT the Linux computers completely ignore these rules and they can access the entire LAN and redirect all their traffic (Internet included) through VPN.
Does anyone know why it happens and how could be fixed ? Thank you.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Restricting Internet access through VPN
All OpenVPN provides is a VPN. Therefore, you must use iptables on the server to control access.
Think of it this way: The client can edit their config file and change anything they like ..
Think of it this way: The client can edit their config file and change anything they like ..
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 11, 2021 11:35 pm
Re: Restricting Internet access through VPN
I understand the clients can do their own changes, but they must know first what changes to do (and what IPs).TinCanTech wrote: ↑Thu May 19, 2022 7:29 amAll OpenVPN provides is a VPN. Therefore, you must use iptables on the server to control access.
Think of it this way: The client can edit their config file and change anything they like ..
Any idea why Linux completely ignored these commands and behaved so differently compared to Windows ?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Restricting Internet access through VPN
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 11, 2021 11:35 pm
Re: Restricting Internet access through VPN
I have tested on several computers and, for some reason, Linux ignores the rules.TinCanTech wrote: ↑Thu May 19, 2022 8:01 pmYou are mistaken. Linux does not ignore commands unless you tell it to do so.
Here is how I set the server:
---------START server config---------
mode server
port 1194
proto udp4
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
topology subnet
push "topology subnet"
ifconfig 10.10.0.1 255.255.255.0
push "route-gateway 10.10.0.1"
ifconfig-pool 10.10.0.2 10.10.0.20 255.255.255.0
client-config-dir /etc/openvpn/server/ccd
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
push "dhcp-option WINS 192.168.1.2"
crl-verify /etc/openvpn/server/crl.pem
remote-cert-tls client
cipher AES-256-GCM
auth SHA256
tls-server
tls-auth /etc/openvpn/server/ta.key 0
tls-version-min 1.2
comp-lzo
keepalive 15 120
user nobody
group nogroup
persist-key
persist-tun
verb 5
---------END server config---------
with CCD for userX as:
# Fixed IP allocation
ifconfig-push 10.10.0.24 255.255.255.0
# Server
push "route 192.168.1.2 255.255.255.255"
# Remote PC
push "route 192.168.1.24 255.255.255.255"
and here is the client
---------START client config---------
client
dev tun
remote ********* 1194 udp
float
nobind
ca ca.crt
cert userX.crt
key userX.key
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
tls-client
tls-auth ta.key 1
key-direction 1
tls-version-min 1.2
comp-lzo
resolv-retry infinite
keepalive 15 120
persist-key
persist-tun
mute-replay-warnings
verb 4
mute 20
---------END client config---------
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 11, 2021 11:35 pm
Re: Restricting Internet access through VPN
Thank you for replying, but I'm afraid you brought nothing useful in this discussion. You must be already aware about the many bugs you can find on Linux too. I included the configs for both the server and the client: you can read them, if you haven't done it yet.TinCanTech wrote: ↑Fri May 20, 2022 6:07 amLinux does not ignore openvpn directives, unless you configure it to do so..
To keep it simple: if someone asks a question and you know the answer and/or you are willing to help, you take action. If you don't know OR you can't add anything useful to that conversation, you just shut up.
I'll look for an answer on other forums.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Restricting Internet access through VPN
What no Log files ..
Ciao
Ciao