On 19/11/2021 15:08, Joe Patterson wrote:
client-to-client bypasses nftables entirely. With it enabled,
client-to-client packets are routed internally to openvpn via the
iroute table without ever being handed off to the kernel for
inspection, firewalling, routing, counting, capturing, mangling, or
anything else.
Without client-to-client, the packets are handed to the kernel on the
tun/tap interface where the kernel can decide what to do with them,
which may or may not include handing them back to openvpn to send out
to a different client.
On Fri, Nov 19, 2021 at 9:57 AM lejeczek via Openvpn-users
<openvpn-users@lists.sourceforge.net> wrote:
On 19/11/2021 13:57, Gert Doering wrote:
Hi,
On Fri, Nov 19, 2021 at 01:52:20PM +0000, lejeczek via Openvpn-users wrote:
unset client-to-client in the openvpn config, make sure "a given client"
has a known IP address (ifconfig-push in ccd/), then do the filtering
by iptables on the linux side.
How can it be determined what ovpn does exactly to/with
nftables?
That is easy: nothing. If you want something done in iptables/nftables,
you need to set it up whatever you want it.
On most recent CentOS Stream 8 where firewalld is the tool
to manage it, with 'direct' rules I fail to make it work - I
keep making them looser increasingly but with NO
'client-to-clien' I'm unable to have clients talk one to
another.
Try disabling all firewalling first. If client-to-client then still does
not work, the problem is somewhere else (like, ip_forwarding not enabled).
If it works without firewalling, try with permissive rules that only log
stuff first, so you can see "this rule would have matched".
gert
client-to-client works. I did disable it as per your
suggestion to "unset" and am trying to work it out through
rules which would allow.
But similarly enabled 'client-to-client' also seems to
escape my rules to drop.
What I am hoping for is some docs on the 'magic' bits
'client-to-client' do in nftables, if any.
thanks, L.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
I wonder if it does, the ovpn, really passes that on to kernel.
I have it working in centOS with
4.18.0-305.25.1.el8_4.x86_64 (+ other components in lower
ver/rev) but with most recent CentOS Stream 8 with
4.18.0-348.el8.x86_64 I cannot get it to work.
Everything what works in "earlier" centOS, such as rude &
trivial putting of TUN iface into 'trusted' zone with
forwarding, including direct rules, fails to do the trick in
this recent OS version.
thanks, L.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
