David,
Thank you for the response! I remember you talking about Eupheria before in
another post I wrote. The LDAP authentication / pulling rules from LDAP
feature is definitely needed, and since I didn't find a project that met
all of the requirements I was going for, I opted to do it myself.
Thank you also for the explanation regarding the firewalling. Part of the
problem (and why I didn't reply to /dev/rob0) is because when it comes to
iptables, I "don't know what I don't know" if that makes sense. It's hard
to specify what I'm going for since there's a multitude of ways to do it
I'm sure. However, if using the FORWARD chain can allow a user to have
access to only what they need, and avoids having to use NAT, then that
sounds like the way to go! Thank you again.
On Thu, May 19, 2016 at 10:50 AM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 18/05/16 18:28, Scott Crooks wrote:
> > Greetings,
> >
> > In order to avoid spamming this list with unrelated questions
> > about IPtables commands, I'm wondering is there is a book/resource
> > that anyone knows of that tackles how to do more advanced setups
> > with OpenVPN and IPtables?
> >
> > It seems there are many examples on the Internet of "redirect all
> > traffic to OpenVPN, then masquerade (NAT) on the server" but I'm
> > looking to do something more advanced than this. I purchased
> > "Mastering OpenVPN" and have a test setup that does the following:
> >
> > * Authenticates users via LDAP * Pulls access rights for the user
> > from LDAP * Pushes per user routes via the `client-connect` script
> > * Does not route all Internet traffic
> >
> > The part I'm missing is the server-side IPtables rules. Each user
> > should get their own chain, created when they connect, and
> > subsequently deleted when they disconnect. Things become unclear
> > when trying to figure out OpenVPN in relation to netfilter hooks.
> > Specifically:
>
> I have already done something similar in a plug-in I wrote for
> OpenVPN, called eurephia [1]. It does not currently do LDAP, but the
> code is getting really close to be able to do at least LDAP
> authentication too. Grabbing a field with iptables chain shouldn't be
> too hard.
>
> What I've been lacking for quite some time, is actually time to
> complete these details. But that is about to change in not too far
> future. So if you're interested, I can see if I can get some time
> getting LDAP support done.
>
> [1] <https://www.eurephia.net/> ... seems old and out-dated, I know ...
> but I'm using it in production and it has been rock solid for a
> very long time for my configurations.
>
> > * At what point in the netfilter hook process does traffic get
> > decrypted?
>
> Have a look at the ASCII art drawing here, I believe that covers your
> question:
> <https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrout
> ing>
>
> So all the data which is being transported over the VPN is appearing
> on *2 in the drawing.
>
> The encrypted channel between OpenVPN client and server goes via *1 in
> the drawing.
>
> > * Is the FORWARD chain the best way to process per user access
> > rules?
>
> Yes. INPUT/OUTPUT chains only covers traffic TO/FROM your
> computer/firewall/VPN server ("localhost"). The FORWARD chain takes
> care of all traffic not destined for the "localhost".
>
> > * Is there a way to NOT masquerade traffic from the OpenVPN server,
> > and make it appear that traffic comes from the same subnet
> > configured in the `server` directive?
>
> You don't need to masquerade traffic between subnets, as long as the
> routing is properly set up. But once your VPN tunnel is configured to
> allow VPN clients to access the "wild internet", you generally want to
> masquerade the IPv4 traffic.
>
>
> - --
> kind regards,
>
> David Sommerseth
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlc9/NQACgkQDC186MBRfrov6gCeL6xFLjQz9Fj0udPjv+3KITQF
> +QcAn38CkyLJgiCy0murGXI9sY9mxM2e
> =sonJ
> -----END PGP SIGNATURE-----
>
--
Scott Crooks (王虎)
LinkedIn: http://www.linkedin.com/in/jshcrooks
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
