OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

How to allow only 1 client to "see" all others

https://forums.openvpn.net/viewtopic.php?t=8108

Page 1 of 1

How to allow only 1 client to "see" all others

Posted: Fri May 13, 2011 6:44 am
by dboss
Hi,

I've recently installed an OpenVPN server, with the below configuration.

Code: Select all

port 1194
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.10.0 255.255.255.0"
push "route 10.9.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
client-config-dir ccd
route 10.9.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
The regular clients receive their IP from this subnet : 10.8.0.0/24
and the "Admin" client gets his IP from his file in /etc/openvpn/ccd (its in the 10.9.0.0./24 subnet).

I'd like to allow only the "admin" client to be able to communicate with all the other clients (i.e. ping, ssh, rdp and so on...),
but not allowing the "regular" clients to communicate with each other (like the default conf)

anyway, I've tried to play with iptables to achive that, but i can't get it right.

please help :)
many thanks in advance.

Re: How to allow only 1 client to "see" all others

Posted: Fri May 13, 2011 10:26 am
by maikcat
hi there,

AFAIK when client-to-client is enabled the traffic between
clients cant handled with iptables....

i am not sure that you can accomplish this.

Michael.

Re: How to allow only 1 client to "see" all others

Posted: Fri May 13, 2011 10:42 am
by dboss
well that's the point.
i don't want to use "client-to-client" because it makes all clients see all the others.
any other ideas ? (and thanks for your reply anyway of course, any help is appreciated)

Re: How to allow only 1 client to "see" all others

Posted: Fri May 13, 2011 10:43 am
by janjust
if 'client-to-client' is enabled you bypass all iptables rules, so this you don't want.
when assigning an IP from a different block then the 'server' block to a client you need to make sure that routing still works. I don't recommend to use

Code: Select all

server 10.8.0.0 255.255.255.0
and an admin range of 10.9.0.X but I'd use

Code: Select all

server 10.0.8.0 255.255.254.0
and an admin range of 10.0.9.X

first make sure all clients can see each other, including the admin client.
Then enable forwarding on the server and set up iptables rules to block connections between VPN clients except for the admin client. This is, BTW, explained in my book ;)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/