0

OpenVPN: Limiting Client Access to Specific Destination Clients I have two OpenVPN client (ovpn_dest1, ovpn_dest2) which run continuously and have a private network (10.60.10.0/24 & 10.60.20.0/24) which I want to access from two Windows OpenVPN clients.

The windows OpenVPN clients (ovpn_user1, ovpn_user2) however should only be able to access their respective networks (either 10.60.10.0/24 or 10.60.20.0/24).

With ovpn_user1 access to ovpn_dest1 (10.60.10.0/24) and ovpn_user2 should only able to access ovpn_dest2 (10.60.20.0/24).

The current setup uses the client-to-client directive in the host OpenVPN server.conf file, which is needed to allow the Windows clients to talk to the ovpn_dest1/2 and their network devices (device1_1/device1_2/etc).

Unfortunately this client-to-client directive means that a Windows client can also access all ovpn_dest1/2 clients which is not wanted from a security point of view.

Network and IP designations:

ovpn_dest1 - 10.60.10.2 device1_1 - 10.60.10.3 device1_2 - 10.60.10.4 ovpn_dest2 - 10.60.20.2 device2_1 - 10.60.20.3 ovpn_user1 - 10.60.10.0/24 ovpn_user2 - 10.60.20.0/24

/etc/openvpn/server/server.conf:

local 188.166.226.159 port 1194 proto udp dev tun0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" ifconfig-pool-persist ipp.txt push "dhcp-option DNS 67.207.67.3" push "dhcp-option DNS 67.207.67.2" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun verb 3 crl-verify crl.pem explicit-exit-notify log-append /var/log/openvpn.log client-to-client client-config-dir ccd

/etc/openvpn/server/ccd/ovpn_dest1

route 10.60.10.0 255.255.255.0 iroute 10.60.10.0 255.255.255.0 push "route 10.60.10.0 255.255.255.0"

/etc/openvpn/server/ccd/ovpn_dest2

route 10.60.20.0 255.255.255.0 iroute 10.60.20.0 255.255.255.0 push "route 10.60.20.0 255.255.255.0"

I can also connect to all of the following devices from any windows OpenVPN client (ovpn_user1/ovpn_user2):

http://10.8.0.2/ (ovpn_dest1) http://10.8.0.3/ (ovpn_dest2) http://10.60.10.2/ (ovpn_dest1) http://10.60.20.2/ (ovpn_dest2) 10.60.10.3 (device1_1)

However I want to limit the access for windows clients such that a given client can only access its specific ovpn_destN network.

I have tried using iptables, however I am no expert in this, and it seems the client-to-client directive in the server.conf file effectively overrides anything attempted in iptables to block a route between a source and destination. (The directive "client to client networking will be done inside OpenVPN without reaching host layer"). It seems I might have to remove "client-to-client" from the server.conf to limit connections, but I have been unable to establish communications when this line is removed.

I have considered using multiple OpenVPN instances (one for each set of ovpn_destN, ovpn_userN) however with many dozens of instances this may not be ideal. Although multiple networks will likely not be accessed frequently concurrently.

What (and how) is the best way of limiting a Windows client to a specific destination network?

Improve this question
2
  • How do the clients get their IP addresses? Commented Dec 21, 2021 at 7:15
  • @TeroKilkanen Sorry, not quite sure what you mean by that. I have an ipp.txt file which is automatically populated when new clients join, but this isn't really relevant I assume. Commented Dec 21, 2021 at 7:42

1 Answer 1

Reset to default
0

Since your configuration contains push "redirect-gateway def1 bypass-dhcp", it means that OpenVPN clients will set their default gateway to the address of OpenVPN server.

This means that all client traffic is forwarded to the OpenVPN server. Therefore the ccd configurations are meaningless, because those routes are covered by the default route.

First, make sure that your clients are assigned static IP addresses. Add the following line to the ovpn_dest1 file in the server ccd directory for the client:

ifconfig-push 10.8.0.2 255.255.255.0

And respectively to ovpn_dest2:

ifconfig-push 10.8.0.3 255.255.255.0

Then configure firewall on OpenVPN server as follows:

iptables -I FORWARD -s 10.8.0.2 -d 10.60.20.2 -j DROP iptables -I FORWARD -s 10.8.0.3 -d 10.60.10.2 -j DROP

First one blocks traffic from client 1 to destination 2 and second one from client 2 to destination 1.

Improve this answer
5
  • Sorry for my confusion, but are you saying to add ifconfig-push 10.8.0.2 255.255.255.0 to the client's .ovpn configuration file or to the server's server.conf file? Also, should the "client-to-client" line be removed from the server.conf file then as this will otherwise make iptable rules likely have no effect? Commented Dec 21, 2021 at 8:29
  • Just to clarify, ovpn_user1 and ovpn_user2 are the Windows users which should have access to the networks 10.60.10.0/24 and 10.60.20.0/24 respectively. Commented Dec 21, 2021 at 8:31
  • These lines should be added on the server side to the files in ccd directory, so they are client specific configurations. Commented Dec 21, 2021 at 15:39
  • Should the push "redirect-gateway def1 bypass-dhcp" and client-to-client directives remain, or should they both be removed? Commented Dec 22, 2021 at 2:01
  • The default gateway push should be removed at least. Commented Dec 22, 2021 at 21:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.