Hi,
On 05/05/21 01:20, Bo Berglund wrote:
On Sun, 2 May 2021 19:17:26 +0200, Gert Doering <g...@greenie.muc.de> wrote:
Now, for "client A talks to client B", there's a catch - if you put
"client-to-client" into the openvpn server config, OpenVPN will forward
the packets directly, bypassing tun0 firewalls. Without client-to-client,
packets go to tun0, get firewalled, come back (or not).
Related question:
I am looking to use an OpenVPN server to facilitate communications between two
connected devices via the VPN tunnel. I will create a new server instance on a
separate port for this.
So I will definitely use client-to-client for this.
But I don't want any other traffic to go through the VPN, so how should I set
the server conf file to accomplish that?
I have this in the new instance conf file now (copy of the existing file with
edits done). But I am unsure what I *really* need:
port 1197
multihome
dev tun
proto udp
(cryptography file locations)
key-direction 0
topology subnet
server 10.8.113.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.113.2 10.8.113.127 255.255.255.0
ifconfig-pool-persist ippagi.txt
client-config-dir /etc/openvpn/ccdagi #Used to handle special configs
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.113.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.113.0 255.255.255.0"
client-to-client #Allow VPN clients to talk to each other
duplicate-cn #Can connect several tunnels using the same credentials
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
max-clients 20
status /etc/openvpn/log/ovpnagi-status.log 20
log-append /etc/openvpn/log/ovpnagi.log
verb 3
explicit-exit-notify 1
So I don't want the tunnel clients to be routed out onto the server side LAN nor
do I want them to be able to route through to the Internet.
Basically the ONLY traffic in the tunnel should be the client-to-client traffic.
What else should I do in the conf file?
Like Gert already said, openvpn itself does not route traffic except
client-to-client stuff; if your OS does not route (ip_forward) traffic,
then the openvpn client traffic will never leave the box. They *could* ,
in theory , reach the LAN interface of the openvpn server, but that is a
minor security risk.
As for the dumb approach:
try adding
iptables -I INPUT -i tun+ -j LOG
iptables -I OUTPUT -o tun+ -j LOG
iptables -I FORWARD -i tun+ -j LOG
iptables -I FORWARD -o tun+ -j LOG
(and possible ipv6 equivalents) and then connect your clients - if any
traffic is coming out of the tunnel ( or going into the tunnel) then you
will see it in syslog (e.g. /var/log/messages or /var/log/syslog).
Also, if you require client-to-client filtering (i.e. only certain types
of traffic allowed between clients) then you will need to turn OFF
client-to-client and you will have to set up some firewalld/iptables rules.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
