Hi,
> On Tue, Sep 22, 2015 at 11:38:43AM -0400, Stefan Monnier wrote: > >> My typical OpenVPN configuration uses a TUN device with a subnet >> topology with an IP range of AA.BB.CC.NN and a netmask of 255.255.255.0, >> and in that configuration the server gets a local end point address of >> AA.BB.CC.1. >> >> How could I arrange that the local tun device doesn't get an IP address >> at all, so that clients can talk to each other via the VPN, but can't >> connect to the server via the VPN (only via the outside IP address >> instead)? >> Simon Deziel wrote: > One simple way to prevent clients from connecting to the server's tun is > to firewall it off: > > iptables -I INPUT -i tun+ -j DROP > > In plain English: drop any packet destined to the VPN server itself that > are entering via any tunX device. > > > this is, of course, the preferred solution, however... Gert Doering wrote: > > > You can't, OpenVPN needs a tun IP address on the server side to set up > routing. > > But you can, of course, just install local firewall rules on the server > to reject all connection attempts to the .1 address. > this is not entirely true - you can bring up the tun interface on the server without an IP address, but you will also need to set up all routing by yourself. use script-security 2 ifconfig-noexec up .../myup.sh with myup.sh containing something like ifconfig $1 0.0.0.0 up and you're done. (I just checked that this works on a CentOS 6 server). HTH, JJK ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users