-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/05/16 18:28, Scott Crooks wrote: > Greetings, > > In order to avoid spamming this list with unrelated questions > about IPtables commands, I'm wondering is there is a book/resource > that anyone knows of that tackles how to do more advanced setups > with OpenVPN and IPtables? > > It seems there are many examples on the Internet of "redirect all > traffic to OpenVPN, then masquerade (NAT) on the server" but I'm > looking to do something more advanced than this. I purchased > "Mastering OpenVPN" and have a test setup that does the following: > > * Authenticates users via LDAP * Pulls access rights for the user > from LDAP * Pushes per user routes via the `client-connect` script > * Does not route all Internet traffic > > The part I'm missing is the server-side IPtables rules. Each user > should get their own chain, created when they connect, and > subsequently deleted when they disconnect. Things become unclear > when trying to figure out OpenVPN in relation to netfilter hooks. > Specifically:
I have already done something similar in a plug-in I wrote for OpenVPN, called eurephia [1]. It does not currently do LDAP, but the code is getting really close to be able to do at least LDAP authentication too. Grabbing a field with iptables chain shouldn't be too hard. What I've been lacking for quite some time, is actually time to complete these details. But that is about to change in not too far future. So if you're interested, I can see if I can get some time getting LDAP support done. [1] <https://www.eurephia.net/> ... seems old and out-dated, I know ... but I'm using it in production and it has been rock solid for a very long time for my configurations. > * At what point in the netfilter hook process does traffic get > decrypted? Have a look at the ASCII art drawing here, I believe that covers your question: <https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrout ing> So all the data which is being transported over the VPN is appearing on *2 in the drawing. The encrypted channel between OpenVPN client and server goes via *1 in the drawing. > * Is the FORWARD chain the best way to process per user access > rules? Yes. INPUT/OUTPUT chains only covers traffic TO/FROM your computer/firewall/VPN server ("localhost"). The FORWARD chain takes care of all traffic not destined for the "localhost". > * Is there a way to NOT masquerade traffic from the OpenVPN server, > and make it appear that traffic comes from the same subnet > configured in the `server` directive? You don't need to masquerade traffic between subnets, as long as the routing is properly set up. But once your VPN tunnel is configured to allow VPN clients to access the "wild internet", you generally want to masquerade the IPv4 traffic. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlc9/NQACgkQDC186MBRfrov6gCeL6xFLjQz9Fj0udPjv+3KITQF +QcAn38CkyLJgiCy0murGXI9sY9mxM2e =sonJ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
