Hello,
I just found that when I'am useing TUN dev mode my VPN clients can access each
other directly, even if client-to-client option missing in my server.conf
and it's OK - when I'am useing TAP dev mode, the same configs just the changed
tun to tap mode. so when TAP mode used and client-to-client is missing - users
can't access each other directly
vpn server is based on Ubuntu Linux: tried versions 2.1RC11 and 2.1RC19
clients running windows XP machines
here are my configs
server.conf
mode server
dev tap
proto udp
local xxx.xxx.xxx.xxx
port 40404
server 10.200.0.0 255.255.255.0
push "redirect-gateway"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.222.220"
tls-server
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0
management localhost 7505
script-security 1
user nobody
group nogroup
cipher AES-256-CBC
comp-lzo adaptive
keepalive 10 120
persist-tun
persist-key
crl-verify /etc/openvpn/crl.pem
verb 0
client.ovpn
========================================
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx
port 40404
tls-client
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-256-CBC
keepalive 10 120
comp-lzo adaptive
persist-key
persist-tun
resolv-retry infinite
nobind
explicit-exit-notify 2
verb 3
firewall settings
================
#!/bin/bash
PRIVATE=10.200.0.0/24
LOOP=127.0.0.1
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i eth0 -s $LOOP -j DROP
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
iptables -A INPUT -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
# block netbios from lan pc's
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT
iptables -A INPUT -p udp -d xxx.xxx.xxx.xxx --dport 40404 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW --icmp-type ! 8 -j ACCEPT
iptables -A FORWARD -p icmp -m state --state NEW --icmp-type ! 8 -j ACCEPT
# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade local subnet
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
