hi friends hope everyone is doing well.
i got a little misunderstanding of how i should configure iptables v4 rules for an openvpn server.
if some wizard can give me a hint it would be great.
i'm pretty sure this conf is full of mess and i can clean up and get working.
the openvpn is a server behind a pfsense (connected to other pfsense via ipsec)
there are 5 subnet :
10.17.1.0/24
10.17.3.0/24
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
here is the openvpn interfaces :
ens18 UP 10.17.1.66/16
tun0 UNKNOWN 100.65.0.1 peer 100.65.0.2/32
the openvpn server.conf is as follows :
port 1194
proto udp
dev tun
ca ca.crt
cert OpenVPN-srv.crt
key OpenVPN-srv.key # This file should be kept secret
dh dh.pem
server 100.65.0.0 255.255.0.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.17.1.4 255.255.255.255"
push "route 10.17.1.50 255.255.255.255"
push "route 10.17.1.30 255.255.255.255"
push "route 10.17.1.100 255.255.255.255"
push "route 10.17.1.104 255.255.255.255"
push "route 10.17.1.204 255.255.255.255"
push "route 192.168.1.3 255.255.255.255"
push "route 192.168.0.39 255.255.255.255"
push "route 192.168.0.45 255.255.255.255"
push "route 192.168.0.46 255.255.255.255"
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-GCM
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 0
explicit-exit-notify 1
So the vpn give specific routes (nas and other stuff) to all users
the very basis of our purpose is quite simple :
- all people need to access those ip
- admins/tech need to acces all subnets /24
- some clients (ccd) need to access to only one specific ip
here is the iptables ruleset :
be carefull your eyes may burn in front of such a mess :
### Generated by xtables-save v1.8.2 on Mon Apr 11 22:36:15 2022
*nat
:PREROUTING ACCEPT [409:51597]
:INPUT ACCEPT [129:18430]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [35:2589]
-A POSTROUTING -o ens18 -j MASQUERADE
COMMIT
# Completed on Mon Apr 11 22:36:15 2022
# Generated by xtables-save v1.8.2 on Mon Apr 11 22:36:15 2022
*filter
:INPUT ACCEPT [4750:1371382]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3080:2057099]
# we accept ssh from those subnets
-A INPUT -p tcp -m tcp --dport 22 -s 100.65.0.77/32 -d 10.17.1.66/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -s 192.168.1.0/24 -d 10.17.1.66/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -d 10.17.1.66/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -s 10.17.1.0/24 -d 10.17.1.66/32 -j ACCEPT
# we accept any new connection on udp :1194 from outside (interface ens18)
-A INPUT -i ens18 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# we drop ssh on tcp :22
-A INPUT -i ens18 -p tcp -m tcp --dport 22 -j DROP
# we accept already established forwarded con
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# we accept all clients on all specific ips
# NAS
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.4/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.30/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.50/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.104/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.204/32 -j ACCEPT
# server1 server2 server3
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.21/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.24/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.100/32 -j ACCEPT
# servera serverb serverc
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 192.168.0.39/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 192.168.0.45/32 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 192.168.0.46/32 -j ACCEPT
# serverx
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 192.168.1.3/32 -j ACCEPT
# we give static ips to specific clients
# we accept admins/tech on all subnets
# admin1
-A FORWARD -i tun0 -s 100.65.0.77/32 -d 10.17.1.0/24 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.77/32 -d 10.17.3.0/24 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.77/32 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.77/32 -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.77/32 -d 192.168.2.0/24 -j ACCEPT
# we need specific access from client to only specific subnets or ips
# tech1 need to be limited to this very ip
-A FORWARD -i tun0 -s 100.65.0.81/32 -d 10.17.3.130/32 -j ACCEPT
# tech2 need to be limited to this very subnets
-A FORWARD -i tun0 -s 100.65.0.206/32 -d 10.17.1.0/24 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.206/32 -d 10.17.3.0/24 -j ACCEPT
# client3 need to be limited to this very ip
-A FORWARD -i tun0 -s 100.65.0.108/32 -d 10.17.1.50/32 -j ACCEPT
# client4 need to be limited to this very ips
-A FORWARD -i tun0 -s 100.65.0.157/32 -d 10.17.1.204/23 -j ACCEPT
-A FORWARD -i tun0 -s 100.65.0.157/32 -d 192.168.0.39/32 -j ACCEPT
# client5 need to be limited to this very ip
-A FORWARD -i tun0 -s 100.65.0.25/32 -d 192.168.1.3/32 -j ACCEPT
# client6 need to be limited to this very ip
-A FORWARD -i tun0 -s 100.65.0.166/32 -d 10.17.1.100/32 -j ACCEPT
# we drop any other demand on the subnets
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 192.168.0.0/16 -j DROP
-A FORWARD -i tun0 -s 100.65.0.0/24 -d 10.17.1.0/16 -j DROP
-A FORWARD -i tun0 -s 100.65.0.166/32 -d 10.17.1.0/24 -j DROP
-A FORWARD -i tun0 -s 100.65.0.166/32 -d 10.17.3.0/24 -j DROP
-A FORWARD -i tun0 -s 100.65.0.166/32 -d 192.168.0.0/24 -j DROP
-A FORWARD -i tun0 -s 100.65.0.166/32 -d 192.168.1.0/24 -j DROP
-A FORWARD -i tun0 -s 100.65.0.166/32 -d 192.168.2.0/24 -j DROP
COMMIT
so the problem are :
- it's such a mess i think
- client6 need to be limited to 10.17.1.100 only and for now he can access 192.168.1.3 , 192.168.0.39 , 192.168.0.45 ,
- at some point i'll try to give some clients access to specific ports only (using the -dport option) .
i'm pretty sure someone can illuminate me and by giving me some hints and clues help me out to work this out.
in advance thanks.
Have a nice day.
