Server conf
server-bridge 172.20.20.10 255.255.255.0 172.20.20.100 172.20.20.150
verb 3
key /etc/openvpn/pki/private/xxxx.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/xxxx.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
port 1194
dev tap0
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DOMAIN xxx.ltd"
push "dhcp-option DNS 172.20.20.4"
push "comp-lzo no"
### Extra Configurations Below
client-to-client
topology subnet
verb 3
key /etc/openvpn/pki/private/xxxx.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/xxxx.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
port 1194
dev tap0
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DOMAIN xxx.ltd"
push "dhcp-option DNS 172.20.20.4"
push "comp-lzo no"
### Extra Configurations Below
client-to-client
topology subnet
As you can see, we are not using the redirect-gateway option, so clients are not pushed the gateway route. Anyway, this can easily be bypassed by client configuration. How can we use iptables to allow VPN clients to communicate only with local LAN devices (in the 172.20.20.x network)?
I suppose we have to change our iptables rules, which currently are as follow:
Code: Select all
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT