I have an OpenVPN server where I have two different services: local: Clients have access only to the local LAN full: Clients have access to the local LAN and the web
I use these two for the following access: local: When I do not want to be moved to the server side gateway when accessing the Internet. Used to primarily interact with the home LAN devices full: When I connect and want to be fully geo-located at home The VPN users are mostly myself but also family members living abroad to allow them access to geo-located Swedish web resources. Additionally I use the OpenVPN server to connect some remote Linux devices back home. What I have now realized is that it is not really OK to allow the "geo-locating" clients access the local LAN when using the VPN, but I really need this for myself. Is it possible (for example via ccd entries) to block the clients from local LAN access using the existing general setup? I.e. can I add entries into their ccd files to explicitly *disallow* local LAN access? This is how my server.conf file looks like now (note: it was set up many years ago): port 1191 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh2048.pem tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret topology subnet server 10.8.0.0 255.255.255.0 'nopool' ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.119.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 cipher AES-256-CBC #Disable compression and push this to the client comp-lzo no push "comp-lzo no" client-config-dir /etc/openvpn/ccdw max-clients 20 persist-key persist-tun status /etc/openvpn/log/openvpn-status.log log /etc/openvpn/log/openvpn.log verb 4 mute 10 explicit-exit-notify 1 push "explicit-exit-notify 1" Is there a way to *override* the following command from the ccd client specific file? push "route 192.168.119.0 255.255.255.0" I assume that this line is what gives local access to clients... Or do I have to remove it here and instead put it back into the ccd files for clients that I allow LAN access for? LAN access is really an exception for myself only. But on several different computers. NOTE: When loking at this I see the not so clever use of 10.8.0.0 255.255.255.0 as the tunnel address, it was taken from the cook-book I read at the time of original setup back in 2014. But changing it now could have unintended ramifications. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
