Openvpn Server Windows need to prevent client from using defualt gateway on server

notsolowki

10/10/23, 4:35 AM

I'm running OpenVPN server on Windows. I have multiple clients in the 10.24.1.0/254 range. I host a TCP service on port 80 on the server that I want the clients to connect to. I don't want clients to be able to edit their ovpn and add --redirect-gateway and be able to push all traffic through the OpenVPN server's gateway.

Currently Avast premium antivirus firewall is the only firewall option. The server IP is 10.0.250 on its local LAN and the server's default gateway is 10.0.0.1. It hosts 10.24.1.0 to clients through OpenVPN so that clients can connect to port 80 "10.24.1.1:80".

The question is, how can I prevent clients from pushing all their traffic through the server by adding --redirect-gateway their ovpn profile. I want to restrict access to only the service listening on port 80 on the server.

119

1 + 0

windows

firewall

routing

openvpn

Score:0

Server

Nikita Kipriyanov

10/10/23, 4:52 AM

You can't. But you can set up a firewall in the server so it won't forward traffic from VPN clients. That way, even if they set up redirect-gateway, they simply lose any access to the Internet, instead of going through you server.

If you only use it for HTTP access, consider setting up HTTPS properly with client certificate authentication instead of using VPN. The security level is the same (because exactly the same PKI machinery is used for authentication and control), but it is much more convenient to use. At the same time, you'll alleviate the security hole which VPN could open for you.

+ 2

notsolowki

10/10/23, 5:06 AM

Without turning this into too much of an avast question, In the VPN server scenario what should i be looking to do in my firewall. my servers local subtnet is 255.0.0.0 gw 10.0.0.1. im trying to understand what subnet to block from what/where im not an expert lol

Nikita Kipriyanov

10/10/23, 5:22 AM

Just disable any *forwarding* for IP packets with source address in `10.24.1.0/24`, that's your client subnet. Only permit them to access the server (input path). I don't know the details of your firewall.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Openvpn Server Windows need to prevent client from using defualt gateway on server

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.