openvon, redirect a specific user to another interface

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
sterua32
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 28, 2022 9:39 am

openvon, redirect a specific user to another interface

Post by sterua32 » Fri Oct 28, 2022 9:49 am

Hello all.
I have currently an openvpn server who was configured by another sysadmin that is gone, and, so, i seek for some information here.
Currently, on the server, we have a network card (ie 192.168.0.1/24) and a tune card (10.10.10.0/24). All client that connect to the server got an ip adress 10.10.10.XXX, and all trafic is redirect to 192.168.0.1.
I have find how to fix the ip adress 10.10.10.XXX for a specific client (whith the folder /etc/openvpn/ccd and the file user.specific@mydomain.com ) where a put, for example, the ip 10.10.10.125.
I would like to know if, i can make a setup that for this specific client, the traffic is redirect to a new network card (172.16.0.1) ans all others continue passing by 192.168.0.1
For example, like this, it will permit me, to have access to all my servers from the vpn (by allowing the ip 172.16.0.1 on our firewall), and the other client (that are not from it department), will not have full access to all servers....
I dont know if what i'm saying is very clear... So excuse me.
Thanks by advance for your future answers and help.
Have a nice day !

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: openvon, redirect a specific user to another interface

Post by Pippin » Fri Oct 28, 2022 2:59 pm

Hi,

It reads like it is clear.

Each client needs a unique CommonName in its certificate.
Based on each clients CommonName you assign a static tunnel ip (through ccd files).
^^ If I understand correctly you have the above already? ^^
The static tunnel IP can then be used in firewall rules to allow/deny access to resources.

.
The 172.16.0.1 network.
To the server config file add

Code: Select all

route 172.16.0.1 255.255.255.0
Restart server.
In your ccd file add

Code: Select all

push "route 172.16.0.1 255.255.255.0"
.
Another way is to configure a second OpenVPN instance to which only you have access.
In that case you need to allow a second port, or second protocol on the same port, into the network.
And then its basically the same as above with the difference that you allow/deny access to resources using the tunnel subnet in firewall rules.

This diagram might be helpful to you:
https://community.openvpn.net/openvpn/w ... acketsFlow
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Post Reply