Page 1 of 1

Specific rules and access policies for subnets

Posted: Thu Feb 04, 2021 11:04 am
by paulb
Hi,

I have a VPN network 10.8.0.0 255.255.248.0. It has 8 subnets: from 10.8.0.0 to 10.8.7.0
For now, every client from any of these subnets can reach another client from any other subnet. I would like those only clients from 10.8.1.0 to be able to reach the clients from the other subnets.

I read the documentation and I understand the solution is to disable client-to-client and add rules in iptables.

Example:
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.8.3.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.8.3.0/24 -d 10.8.1.0/24 -j DROP

I have a few questions.

Will this solution work or it needs something in addition?
Should I better choose 10.8.0.0 as my "privileged" subnet considering that the server is 10.8.0.1?

Regards,
Paul

Re: Specific rules and access policies for subnets

Posted: Thu Feb 04, 2021 2:11 pm
by Pippin
To get an idea:
https://community.openvpn.net/openvpn/w ... acketsFlow

This also applies:
https://community.openvpn.net/openvpn/w ... gConflicts

And:
https://backreference.org/2010/05/02/co ... n-openvpn/

So yes, it comes down to the firewall rules.
Rules can be automated by, for example --learn-address / --client-connect script,.
Bit older example but useful to get an idea:
https://encodo.com/latest/developer-blo ... r-openvpn/

Another possibility is multiple instances of OpenVPN, one for each group.

Re: Specific rules and access policies for subnets

Posted: Tue Feb 16, 2021 2:44 pm
by paulb
Hi Pippin,

Thanks for the links. I found them very useful.

The information from https://backreference.org/2010/05/02/co ... n-openvpn/ helped me to create the rules that I need for my server.

Best regards