-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
------- Original Message ------- On Friday, October 20th, 2023 at 21:17, Bo Berglund <bo.bergl...@gmail.com> wrote: > On Fri, 20 Oct 2023 15:35:30 -0400, Bo Berglund bo.bergl...@gmail.com wrote: > > > On Thu, 19 Oct 2023 18:11:48 -0400, Bo Berglund bo.bergl...@gmail.com wrote: > > > > > I.e. is it enough to remove the route into the local LAN for this to be > > > blocked > > > and only allowing web access forwarding? No. In this case --redirect-gateway has the same effect as pushing a route for the server LAN. Access to the Server LAN must be controlled via the firewall. Because, even if the server does not push --redirect-gateway or --route, the client can still install these routes via the client config, or manually .. <snipped for clarity> > > > > The log seems to show a successful connection but then it spits out this > > afterwards: > > > > BosseAtJenny/90.:3626 PUSH: Received control message: 'PUSH_REQUEST' > > BosseAtJenny/90.:3626 MULTI: bad source address from client > > [100.85.129.161], > > packet dropped > > BosseAtJenny/90.***:3626 MULTI: bad source address from client > > [100.85.129.161], > > packet dropped These are packets from a client, with an IP that is unknown the the server. You should recognise the IP address, otherwise, you may have some rogue traffic on your client network. If you recognise the IP then you would use --iroute to enable or disabled handling that traffic. <snipped for clarity> > Forgot to say that I added the rule for this server so iptables-save reports: > *nat > :PREROUTING ACCEPT [49428:11412761] > :INPUT ACCEPT [49214:11396939] > :OUTPUT ACCEPT [2047:130347] > :POSTROUTING ACCEPT [2047:130347] > -A POSTROUTING -s 10.13.143.0/24 -j MASQUERADE > -A POSTROUTING -s 10.13.149.0/24 -j MASQUERADE > > Which I assumed was needed in order to make the routing out onto the web to > happen. > 143 is for web+lan (working) and 149 for webonly (failing) If the behaviour is different then something else could be setup wrong, or maybe you have just run out of patience .. hard to say. Do you understand what MASQUERADE does ? If not then you really should, by now .. Also, you have not installed any rules to control access to your Server LAN. Ask one question at a time and then read and understand the answers. HTH -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBYJlMweLCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAB9AAf/QmPOGWrjfkZHYQs4CNnd4YyBjG0/26DPVRR3t4TwrlA56eRx DyUYylfJbO4Ztv56PP8OveblyEF58aIj6I1FDJc8+KQq/ivSHSbIB2JKmW1F FGIYmoTfltWjuO5Q2CzAmMG1cy1xZ/QEMAfGKUSAAFjB+ZTbcHoYN5dz3icr DDvF2ppszXqQ3qjcasoZz9W82ARul8z/khkU8uuY198G0AgKpSKd7DYUeWRR Orx1Iy6r4KxDa3vmWP3cNwtt0mYS3Xe5sEaFgj2EUReH8P+tJuY6F2cNSWPM GmgzFdc4jfPI3yLROGHyS5U0wFYb9ex6xs+iAY2xqivrPjq4Zb0c9Q== =F7fj -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
