If this gets too complicated, another option may be to run multiple OpenVPN servers, each with its unique access parameters. It's certainly more work but might make each configuration simpler and easier to understand with the benefit possibly outweighing the effort.
-----Original Message----- From: Bo Berglund <bo.bergl...@gmail.com> To: openvpn-users@lists.sourceforge.net Sent: Sun, May 1, 2022 10:41 am Subject: Re: [Openvpn-users] How to block clients access to local LAN? On Sun, 1 May 2022 15:46:43 +0200, Gert Doering <g...@greenie.muc.de> wrote: >Hi, > >On Sun, May 01, 2022 at 03:28:22PM +0200, Bo Berglund wrote: >> But when I use another profile, which should not be able to reach the local >> LAN, >> I am still granted local LAN access.... > >The problem is the "redirect gateway" part for "those other profiles" - >if you send these clients a default route (to circumvent the geoloc >things), "your home lan" is part of "default route". > >> So it seems like there is something else I need to do in the server.conf >> file. > >One used to be able to do this inside OpenVPN by means of the primitive >"PF" packet filter, but that was both ill-documented, only accessible >from a plugin (= not from ccd/), and IPv4-only - so it got removed. > >One way to tackle this: > > - give those clients IP addresses from a dedicated range > (use pool IPs for those clients, and static for others, or vice versa) > > - put an iptables forward rule on the tun interface that disallows > "not allowed clients" --> "LAN IP addresses" > That reminds me of how I "fixed" a similar problem on the company LAN at about 2017... We had a consultant developer who needed to access our SVN server on the private LAN so he needed to come on board but he was not allowed any access except to the SVN server via IPTABLES and the IP address handed to him on login in the ccd file. So I will set up an IP range for "allowed" clients and another for "disallowed" clients and then block the disallowed clients via IPTABLES. Thanks for the suggestion/reminder! -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
