On 19/11/2021 13:57, Gert Doering wrote:
Hi,
On Fri, Nov 19, 2021 at 01:52:20PM +0000, lejeczek via Openvpn-users wrote:
unset client-to-client in the openvpn config, make sure "a given client"
has a known IP address (ifconfig-push in ccd/), then do the filtering
by iptables on the linux side.
How can it be determined what ovpn does exactly to/with
nftables?
That is easy: nothing. If you want something done in iptables/nftables,
you need to set it up whatever you want it.
On most recent CentOS Stream 8 where firewalld is the tool
to manage it, with 'direct' rules I fail to make it work - I
keep making them looser increasingly but with NO
'client-to-clien' I'm unable to have clients talk one to
another.
Try disabling all firewalling first. If client-to-client then still does
not work, the problem is somewhere else (like, ip_forwarding not enabled).
If it works without firewalling, try with permissive rules that only log
stuff first, so you can see "this rule would have matched".
gert
client-to-client works. I did disable it as per your
suggestion to "unset" and am trying to work it out through
rules which would allow.
But similarly enabled 'client-to-client' also seems to
escape my rules to drop.
What I am hoping for is some docs on the 'magic' bits
'client-to-client' do in nftables, if any.
thanks, L.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
