OpenVPN Support Forum

I am trying to set up access rules that are specific to client certificate names. I want to restrict traffic for some VPN users so that they can only get to one server on our 192.168.1.0/24 subnet

I have been trying the howto here:
http://openvpn.net/index.php/open-sourc ... tml#policy

But no luck. Here's the server config:

local 192.168.1.140
port 1194
proto udp
dev tun0 #static device to iptables rule sets
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ifconfig 10.8.0.1 10.8.0.2 #server tun0 ip
push "route 192.168.1.12 255.255.255.255"
push "route 192.168.40.5 255.255.255.255"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
push "route 192.168.40.0 255.255.255.0"
push "dhcp-option DNS 192.168.40.5"
keepalive 10 120
comp-lzo
daemon
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log 5
status-version 2
log-append /etc/openvpn/openvpn.log
verb 4
management localhost 7505

route 10.8.1.0 255.255.255.0
route 10.8.2.0 255.255.255.0

client-config-dir ccd


An example file from ccd:

ifconfig-push 10.8.2.1 10.8.2.2
iroute 192.168.1.12 255.255.255.255 #Destination server
iroute 192.168.40.5 255.255.255.255 #DNS Server

iptables commands:

iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 192.168.1.12 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 192.168.40.5 -j ACCEPT

The client connection still allows traffic to all subnets with the server configured like this.

Thanks for you consideration.

Nevermind, I got the acces rules working. It was caused by my iptables setup, I needed all my allow statements before any drop or deny statements.

Congrats on getting it fixed.

What OS was the server running?

OpenSUSE 11.1