On 19/05/16 20:47, Scott Crooks wrote: > Thank you also for the explanation regarding the firewalling. Part of > the problem (and why I didn't reply to /dev/rob0) is because when it > comes to iptables, I "don't know what I don't know" if that makes sense. > It's hard to specify what I'm going for since there's a multitude of > ways to do it I'm sure. However, if using the FORWARD chain can allow a > user to have access to only what they need, and avoids having to use > NAT, then that sounds like the way to go! Thank you again.
Yes, that should work. Again, please have a look at the firewall configuration documentation in eurephia. The key concept between what you describe and what eurephia does is quite similar, so you might get some ideas from there: <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-FWintegration_Chapter.html> What is not described there is the magic eurephia does to update iptables on-the-fly when clients connect and disconnect. But in essence that is eurephia running iptables commands updating the 'vpn_users' table. However, beware that OpenVPN needs to run with root privileges to be able to update iptables on the fly. And that is one of the reasons eurephia will fork out a sub-process during the init phase which keeps root privileges and gets limited update requests from the unprivileged openvpn process (after it has dropped privileges etc). -- kind regards, David Sommerseth > On Thu, May 19, 2016 at 10:50 AM, David Sommerseth > <open...@sf.lists.topphemmelig.net > <mailto:open...@sf.lists.topphemmelig.net>> wrote: > > On 18/05/16 18:28, Scott Crooks wrote: >> Greetings, > >> In order to avoid spamming this list with unrelated questions >> about IPtables commands, I'm wondering is there is a book/resource >> that anyone knows of that tackles how to do more advanced setups >> with OpenVPN and IPtables? > >> It seems there are many examples on the Internet of "redirect all >> traffic to OpenVPN, then masquerade (NAT) on the server" but I'm >> looking to do something more advanced than this. I purchased >> "Mastering OpenVPN" and have a test setup that does the following: > >> * Authenticates users via LDAP * Pulls access rights for the user >> from LDAP * Pushes per user routes via the `client-connect` script >> * Does not route all Internet traffic > >> The part I'm missing is the server-side IPtables rules. Each user >> should get their own chain, created when they connect, and >> subsequently deleted when they disconnect. Things become unclear >> when trying to figure out OpenVPN in relation to netfilter hooks. >> Specifically: > > I have already done something similar in a plug-in I wrote for > OpenVPN, called eurephia [1]. It does not currently do LDAP, but the > code is getting really close to be able to do at least LDAP > authentication too. Grabbing a field with iptables chain shouldn't be > too hard. > > What I've been lacking for quite some time, is actually time to > complete these details. But that is about to change in not too far > future. So if you're interested, I can see if I can get some time > getting LDAP support done. > > [1] <https://www.eurephia.net/> ... seems old and out-dated, I know ... > but I'm using it in production and it has been rock solid for a > very long time for my configurations. > >> * At what point in the netfilter hook process does traffic get >> decrypted? > > Have a look at the ASCII art drawing here, I believe that covers your > question: > <https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrout > ing> > > So all the data which is being transported over the VPN is appearing > on *2 in the drawing. > > The encrypted channel between OpenVPN client and server goes via *1 in > the drawing. > >> * Is the FORWARD chain the best way to process per user access >> rules? > > Yes. INPUT/OUTPUT chains only covers traffic TO/FROM your > computer/firewall/VPN server ("localhost"). The FORWARD chain takes > care of all traffic not destined for the "localhost". > >> * Is there a way to NOT masquerade traffic from the OpenVPN server, >> and make it appear that traffic comes from the same subnet >> configured in the `server` directive? > > You don't need to masquerade traffic between subnets, as long as the > routing is properly set up. But once your VPN tunnel is configured to > allow VPN clients to access the "wild internet", you generally want to > masquerade the IPv4 traffic. > > > -- > kind regards, > > David Sommerseth > > > > > -- > Scott Crooks (王虎) > LinkedIn: http://www.linkedin.com/in/jshcrooks > ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
