On Sun, 01 May 2022 10:32:37 +0200, Bo Berglund <bo.bergl...@gmail.com> wrote:
>What I have now realized is that it is not really OK to allow the >"geo-locating" >clients access the local LAN when using the VPN, but I really need this for >myself. > >Is it possible (for example via ccd entries) to block the clients from local >LAN >access using the existing general setup? > >I.e. can I add entries into their ccd files to explicitly *disallow* local LAN >access? > >This is how my server.conf file looks like now (note: it was set up many years >ago): > ... >server 10.8.0.0 255.255.255.0 'nopool' >ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0 >ifconfig-pool-persist ipp.txt >push "route 192.168.119.0 255.255.255.0" >push "redirect-gateway def1 bypass-dhcp" ... >Is there a way to *override* the following command from the ccd client specific >file? > >push "route 192.168.119.0 255.255.255.0" > >I assume that this line is what gives local access to clients... > >Or do I have to remove it here and instead put it back into the ccd files for >clients that I allow LAN access for? LAN access is really an exception for >myself only. But on several different computers. > Follow-up: ---------- I have checked what happens if I remove the route onto the local LAN from the main server.conf file and put it instead into the ccd/profilename file: - Commented out this server.conf entrty: #push "route 192.168.119.0 255.255.255.0" - Added the following into the /etc/openvpn/ccdw/<myprofilename> file: #Allow local access: push "route 192.168.119.0 255.255.255.0" - Restarted the service: sudo systemctl restart openvpn-server@server Then I tried to connect from my phone and use a web bookmark I have to check if I had accessibility to the web and what external IP address I had. http://checkip.dyndns.com This returned the IP addess of my home router. :) After that I also checked web access to an RPi4 with a running Apache server on my home LAN and it too showed up as it should. So in effect the edits I had done resulted in my client still being able to reach both the local LAN and the web, just like I intended. But when I use another profile, which should not be able to reach the local LAN, I am still granted local LAN access.... So it seems like there is something else I need to do in the server.conf file. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
