Join Log in
Score:0
vbscript avatar Server

OpenVPN: Only Allow Access Specific Client Network

ro flag
vbscript

OpenVPN: Limiting Client Access to Specific Destination Clients I have two OpenVPN client (ovpn_dest1, ovpn_dest2) which run continuously and have a private network (10.60.10.0/24 & 10.60.20.0/24) which I want to access from two Windows OpenVPN clients.

The windows OpenVPN clients (ovpn_user1, ovpn_user2) however should only be able to access their respective networks (either 10.60.10.0/24 or 10.60.20.0/24).

With ovpn_user1 access to ovpn_dest1 (10.60.10.0/24) and ovpn_user2 should only able to access ovpn_dest2 (10.60.20.0/24).

The current setup uses the client-to-client directive in the host OpenVPN server.conf file, which is needed to allow the Windows clients to talk to the ovpn_dest1/2 and their network devices (device1_1/device1_2/etc).

Unfortunately this client-to-client directive means that a Windows client can also access all ovpn_dest1/2 clients which is not wanted from a security point of view.

Network and IP designations:

ovpn_dest1 - 10.60.10.2
  device1_1  - 10.60.10.3
  device1_2  - 10.60.10.4
ovpn_dest2 - 10.60.20.2
  device2_1  - 10.60.20.3

ovpn_user1 - 10.60.10.0/24
ovpn_user2 - 10.60.20.0/24

/etc/openvpn/server/server.conf:

local 188.166.226.159
port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 67.207.67.3"
push "dhcp-option DNS 67.207.67.2"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
log-append /var/log/openvpn.log

client-to-client
client-config-dir ccd

/etc/openvpn/server/ccd/ovpn_dest1

route 10.60.10.0 255.255.255.0
iroute 10.60.10.0 255.255.255.0
push "route 10.60.10.0 255.255.255.0"

/etc/openvpn/server/ccd/ovpn_dest2

route 10.60.20.0 255.255.255.0
iroute 10.60.20.0 255.255.255.0
push "route 10.60.20.0 255.255.255.0"

I can also connect to all of the following devices from any windows OpenVPN client (ovpn_user1/ovpn_user2):

http://10.8.0.2/   (ovpn_dest1)
http://10.8.0.3/   (ovpn_dest2)
http://10.60.10.2/ (ovpn_dest1)
http://10.60.20.2/ (ovpn_dest2)
10.60.10.3 (device1_1)

However I want to limit the access for windows clients such that a given client can only access its specific ovpn_destN network.

I have tried using iptables, however I am no expert in this, and it seems the client-to-client directive in the server.conf file effectively overrides anything attempted in iptables to block a route between a source and destination. (The directive "client to client networking will be done inside OpenVPN without reaching host layer"). It seems I might have to remove "client-to-client" from the server.conf to limit connections, but I have been unable to establish communications when this line is removed.

I have considered using multiple OpenVPN instances (one for each set of ovpn_destN, ovpn_userN) however with many dozens of instances this may not be ideal. Although multiple networks will likely not be accessed frequently concurrently.

What (and how) is the best way of limiting a Windows client to a specific destination network?

141
0 + 0
us flag
Tero Kilkanen
How do the clients get their IP addresses?
0
Reply
vbscript avatar
ro flag
vbscript
@TeroKilkanen Sorry, not quite sure what you mean by that. I have an ipp.txt file which is automatically populated when new clients join, but this isn't really relevant I assume.
0
Reply
Score:0
avatar Server
us flag
Tero Kilkanen

Since your configuration contains push "redirect-gateway def1 bypass-dhcp", it means that OpenVPN clients will set their default gateway to the address of OpenVPN server.

This means that all client traffic is forwarded to the OpenVPN server. Therefore the ccd configurations are meaningless, because those routes are covered by the default route.

First, make sure that your clients are assigned static IP addresses. Add the following line to the ovpn_dest1 file in the server ccd directory for the client:

ifconfig-push 10.8.0.2 255.255.255.0

And respectively to ovpn_dest2:

ifconfig-push 10.8.0.3 255.255.255.0

Then configure firewall on OpenVPN server as follows:

iptables -I FORWARD -s 10.8.0.2 -d 10.60.20.2 -j DROP
iptables -I FORWARD -s 10.8.0.3 -d 10.60.10.2 -j DROP

First one blocks traffic from client 1 to destination 2 and second one from client 2 to destination 1.

0 + 0
vbscript avatar
ro flag
vbscript
Sorry for my confusion, but are you saying to add `ifconfig-push 10.8.0.2 255.255.255.0` to the client's .ovpn configuration file or to the server's server.conf file? Also, should the "client-to-client" line be removed from the server.conf file then as this will otherwise make iptable rules likely have no effect?
0
Reply
vbscript avatar
ro flag
vbscript
Just to clarify, ovpn_user1 and ovpn_user2 are the Windows users which should have access to the networks 10.60.10.0/24 and 10.60.20.0/24 respectively.
0
Reply
us flag
Tero Kilkanen
These lines should be added on the server side to the files in `ccd` directory, so they are client specific configurations.
0
Reply
vbscript avatar
ro flag
vbscript
Should the `push "redirect-gateway def1 bypass-dhcp"` and `client-to-client` directives remain, or should they both be removed?
0
Reply
us flag
Tero Kilkanen
The default gateway push should be removed at least.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.