client-to-client bypasses nftables entirely. With it enabled, client-to-client packets are routed internally to openvpn via the iroute table without ever being handed off to the kernel for inspection, firewalling, routing, counting, capturing, mangling, or anything else.
Without client-to-client, the packets are handed to the kernel on the tun/tap interface where the kernel can decide what to do with them, which may or may not include handing them back to openvpn to send out to a different client. On Fri, Nov 19, 2021 at 9:57 AM lejeczek via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: > > > > On 19/11/2021 13:57, Gert Doering wrote: > > Hi, > > > > On Fri, Nov 19, 2021 at 01:52:20PM +0000, lejeczek via Openvpn-users wrote: > >>> unset client-to-client in the openvpn config, make sure "a given client" > >>> has a known IP address (ifconfig-push in ccd/), then do the filtering > >>> by iptables on the linux side. > >> How can it be determined what ovpn does exactly to/with > >> nftables? > > That is easy: nothing. If you want something done in iptables/nftables, > > you need to set it up whatever you want it. > > > >> On most recent CentOS Stream 8 where firewalld is the tool > >> to manage it, with 'direct' rules I fail to make it work - I > >> keep making them looser increasingly but with NO > >> 'client-to-clien' I'm unable to have clients talk one to > >> another. > > Try disabling all firewalling first. If client-to-client then still does > > not work, the problem is somewhere else (like, ip_forwarding not enabled). > > > > If it works without firewalling, try with permissive rules that only log > > stuff first, so you can see "this rule would have matched". > > > > gert > client-to-client works. I did disable it as per your > suggestion to "unset" and am trying to work it out through > rules which would allow. > But similarly enabled 'client-to-client' also seems to > escape my rules to drop. > What I am hoping for is some docs on the 'magic' bits > 'client-to-client' do in nftables, if any. > > thanks, L. > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
