Re: [Openvpn-users] firewalling TUN iface - how?

Tue, 04 May 2021 23:05:35 -0700 

Hi,

On Wed, May 05, 2021 at 01:20:14AM +0200, Bo Berglund wrote:
> But I don't want any other traffic to go through the VPN, so how should I set
> the server conf file to accomplish that?

If the server conf (and client conf) has no instance of "route" or
"redirect-gateway", all the client will see is the 10.8.113.0/24 subnet
on the tunnel.

OpenVPN will never automagically route something into the tunnel if
not told explicitly (in the client conf, or by a "push" from the server).

> server 10.8.113.0 255.255.255.0 'nopool'
> ifconfig-pool 10.8.113.2 10.8.113.127 255.255.255.0

This is a bit weird.  "server" *without* "nopool" will include the
pool setting (though for the full /24)...  so this is more complicated
then necessary.

> ifconfig-pool-persist ippagi.txt
> client-config-dir /etc/openvpn/ccdagi #Used to handle special configs
> # Add route to Client routing table for the OpenVPN Server
> push "route 10.8.113.1 255.255.255.255"
> # Add route to Client routing table for the OpenVPN Subnet
> push "route 10.8.113.0 255.255.255.0"

This is not needed.  The "server" subnet is always known.

> So I don't want the tunnel clients to be routed out onto the server side LAN 
> nor
> do I want them to be able to route through to the Internet.
> Basically the ONLY traffic in the tunnel should be the client-to-client 
> traffic.
> 
> What else should I do in the conf file?

If the client is well-behaved, what you have is sufficient.

If the client is malicious, it could just add "route" statements to
the local client conf and send packets your way.  To prevent that, put
an iptables rule on the server tun interface and drop packets "coming
in via tun, to go out to the internet".

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to