On Sun, 01 May 2022 15:28:22 +0200, Bo Berglund <bo.bergl...@gmail.com> wrote:
>On Sun, 01 May 2022 10:32:37 +0200, Bo Berglund <bo.bergl...@gmail.com> wrote: > >>What I have now realized is that it is not really OK to allow the >>"geo-locating" >>clients access the local LAN when using the VPN, but I really need this for >>myself. >> >>Is it possible (for example via ccd entries) to block the clients from local >>LAN >>access using the existing general setup? >> >>I.e. can I add entries into their ccd files to explicitly *disallow* local LAN >>access? >> >>This is how my server.conf file looks like now (note: it was set up many years >>ago): >> >... >>server 10.8.0.0 255.255.255.0 'nopool' >>ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0 >>ifconfig-pool-persist ipp.txt >>push "route 192.168.119.0 255.255.255.0" >>push "redirect-gateway def1 bypass-dhcp" >... >>Is there a way to *override* the following command from the ccd client >>specific >>file? >> >>push "route 192.168.119.0 255.255.255.0" >> >>I assume that this line is what gives local access to clients... >> >>Or do I have to remove it here and instead put it back into the ccd files for >>clients that I allow LAN access for? LAN access is really an exception for >>myself only. But on several different computers. >> > >Follow-up: >---------- > >I have checked what happens if I remove the route onto the local LAN from the >main server.conf file and put it instead into the ccd/profilename file: > >- Commented out this server.conf entrty: > #push "route 192.168.119.0 255.255.255.0" >- Added the following into the /etc/openvpn/ccdw/<myprofilename> file: > #Allow local access: > push "route 192.168.119.0 255.255.255.0" >- Restarted the service: > sudo systemctl restart openvpn-server@server > >Then I tried to connect from my phone and use a web bookmark I have to check if >I had accessibility to the web and what external IP address I had. >http://checkip.dyndns.com >This returned the IP addess of my home router. :) >After that I also checked web access to an RPi4 with a running Apache server on >my home LAN and it too showed up as it should. > >So in effect the edits I had done resulted in my client still being able to >reach both the local LAN and the web, just like I intended. > >But when I use another profile, which should not be able to reach the local >LAN, >I am still granted local LAN access.... > >So it seems like there is something else I need to do in the server.conf file. Back after summer holidays and now I have a request for a VPN client to use my server as a geo-location handler. But I don't want him to be able to reach my LAN like in the discussion above... To simplify things for this single case I belive I can use a client specific ccd entry to give him a specific IP on connect, then using iptables I should be able to drop all packets towards the server side LAN, right? This is what I have done: I Added a ccd entry as follows (DHCP range for non-ccd clients ends at 127): ifconfig-push 10.8.1.137 255.255.255.0 Now I need to add an IPTABLES rule for the IP address such that it will drop connection attempts from the source address 10.8.1.137 to destination network 192.168.119.0/24... But I am pretty bad at formulating these rules so would appreciate it if someone here may chip in with the correct syntax: Suggestion: iptables -I FORWARD 1 -s 10.8.1.130 -d 192.168.119.0/24 -j DROP Is this like it should be or do I have to change it? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
