On Fri, Jul 31, 2020, 08:39 Gert Doering <g...@greenie.muc.de> wrote:
> Hi, > > On Thu, Jul 30, 2020 at 11:33:45PM +0300, Alex K wrote: > > On Wed, Jul 29, 2020, 07:57 Peter Fraser <softwareinfo...@gmail.com> > wrote: > > > I set up my OpenVPN Server for IT access but now everyone seems to love > > > and I have to be allowing more and more persons. I wonder, is there a > way > > > to prevent one user from accessing a particular route that is listed > in the > > > global config file. I have only seen how to the opposite, that is, > allow a > > > user access to a route not listed in the global config. Any help would > be > > > greatly appreciated. > > > > > As a simple approach, I would recommend pushing specific routes to users > > through the ccd file. Each ccd file named according to the common name of > > the user's cert. > > While this works, it's not a good security measure - the server will not > verify (can not) that the client is using *only* those routes that you > push. > > So if you put "route 1.2.3.4 255.255.255.255" in the client config, > that address will be routed into the VPN as well, in addition to what > the server pushed. > Indeed. If you have to deal with such users then you may push specific vpn ips to each user then control access with firewall rules at vpn server statically, though this approach seems not very much scalable as you have to carefully manage the firewall and assigned ips. To make it more fun, and still keep it simple, I would prepare a connect script on server side which according to the client name it would add/remove firewall rules to allow specific access to the dynamically assigned vpn ip. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
