----- Mail d'origine ----- De: Tom Eastep <[email protected]> À: Shorewall Users <[email protected]> Envoyé: Wed, 26 Aug 2009 16:18:59 +0200 (CEST) Objet: Re: [Shorewall-users] howto block openvpn client to client access
Tom Eastep wrote: > [email protected] wrote: >> Hi, >> I have setted up vpn rules for openvpn , rules are working between vpn >> clients and the lan >> however, all trafic is allowed between vpn clients (and I did not setted up >> routeback option in zones) !! > > If you are using a routed OpenVPN configuration, don't specify > 'client-to-client'; that will cause the OpenVPN server to route between > the clients internally. > >> and finally the link of mark zonzon regarding selective communication >> between openvpn clients is dead in the docs. > > I've removed the link. I also changed the 'and' at the end of the first bullet to 'or' since either of those measures will allow client-to-client communications. 'client-to-client' is preferred because it is more efficient. Using 'routeback' allows you to control client to client traffic by setting the vpn->vpn policy to REJECT and adding the appropriate vpn->vpn ACCEPT rules. Ok, now everything is as expected, vpn clients are using allowed firewall rules between each others , only needed adding a "route push ..."directive in the openvpn server Thanks ! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
