Score:0

How to block internet access for OpenVPN clients and restrict traffic to VPN network? (Installed with openvpn-install)

me flag

I setup an OpenVPN server using openvpn-install. I would like clients to be able to connect to the VPN server, but any traffic aimed towards the internet instead of the VPNs local network should be blocked.

I have seen many solutions proposing adding push commands to server.conf requesting that clients use their own network for internet traffic by default, however these requests can be ignored by clients - this is not something I want.

I only want VPN clients to be able to access the local VPN network (at 10.8.0.0/24), all other traffic should be rejected by the VPN server and clients should user their own networks for it.

How can I forcibly block internet traffic from VPN clients?

Score:0
me flag

This can be achieved through the use of iptables, by blocking traffic headed from the OpenVPN network interface to the network interface with internet access.

openvpn-install creates a few iptables configuration files that manage the rules for you.

The following instructions assume that:

  • tun0 is the network interface of OpenVPN
  • eth0 is the network interface with internet access

Cleaning Initial Rules

First, we need to disable the current rules loaded by openvpn-install by running the following command:

systemctl stop iptables-openvpn

Configuration Files

Note: using DROP instead of REJECT is also valid, it just doesn't return an error to the VPN client. See the iptables man page for more info.

add-openvpn-rules.sh

In /etc/iptables/add-openvpn-rules.sh, change the line from:

iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT

to:

iptables -I FORWARD 1 -i tun0 -o eth0 -j REJECT

rm-openvpn-rules.sh

In /etc/iptables/rm-openvpn-rules.sh, change the line from:

iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT

to:

iptables -D FORWARD -i tun0 -o eth0 -j REJECT

Applying The Changes

Run the following command and your changes should be saved and in effect:

systemctl start iptables-openvpn

Split Tunneling

Pushing routes to the VPN clients can then be used to request they send internet traffic through their own network. Here are the lines I added to my OpenVPN server.conf file to achieve this (my VPN network is at 10.8.0.0/24):

push "route 10.8.0.0 255.255.255.0 vpn_gateway"
push "route 0.0.0.0 0.0.0.0 net_gateway"
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.