Hi, On Sun, May 01, 2022 at 03:28:22PM +0200, Bo Berglund wrote: > But when I use another profile, which should not be able to reach the local > LAN, > I am still granted local LAN access....
The problem is the "redirect gateway" part for "those other profiles" -
if you send these clients a default route (to circumvent the geoloc
things), "your home lan" is part of "default route".
> So it seems like there is something else I need to do in the server.conf file.
One used to be able to do this inside OpenVPN by means of the primitive
"PF" packet filter, but that was both ill-documented, only accessible
from a plugin (= not from ccd/), and IPv4-only - so it got removed.
One way to tackle this:
- give those clients IP addresses from a dedicated range
(use pool IPs for those clients, and static for others, or vice versa)
- put an iptables forward rule on the tun interface that disallows
"not allowed clients" --> "LAN IP addresses"
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
