On Mon, Jul 31, 2023 at 4:20 PM, Jochen Bern<jochen.b...@binect.de> wrote: On 31.07.23 13:34, Jason Long wrote: > Did you forget the PORT rule? > # iptables -I INPUT -p udp --dport PORT -j ACCEPT
That rule a) *already* addresses *several* OpenVPN instances at once (as it specifies *only* the port, not IP or interface) and b) has absolutely nothing to do with the clients' through-the-VPN traffic, much less how it gets SNATed. > Excuse me, I'm thankful if you reply to this question: > Suppose I have set two IP addresses on the enp0s3 network card and on each IP > address you want to launch three server.conf: > > # IF_MAIN=enp0s3 > # IF_TUNNEL=tun2 > # YOUR_OPENVPN_SUBNET=IP/16 > # iptables -I INPUT -p udp --dport PORT -j ACCEPT > # iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state > ESTABLISHED,RELATED -j ACCEPT > # iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT > # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j > MASQUERADE > # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to $IF_MAIN > > How many times should you repeat the above rules? As written, you should repeat the INPUT rule for every $PORT, and the others for every OpenVPN instance, *because that's how specific you wrote them*. If whatever mechanism you use to start/stop the OpenVPN server instances allows to execute additional stuff, there's absolutely no harm in having the rules added/removed that way, which implies that you'd have *all* rules set once per (running) instance. If, on the other hand, you'd like to type less, it's up to you to find ways to make the rules less specific that still agree with whatever *external* requirements you may have. For OpenVPN, the four rules iptables -I INPUT -p udp -m multiport --dports $PORT1,$PORT2 -j ACCEPT iptables -A FORWARD -i tun+ -o e+ -s $BIG_SUBNET -j ACCEPT iptables -A FORWARD -i e+ -o tun+ \ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s $BIG_SUBNET -j SNAT --to $PUB_IP_RANGE would be enough to cover *all* instances that use those ports and hand clients IPs from a subset of $BIG_SUBNET, but then it's your job to set things up beforehand so that -- the VPN clients and nothing else reside in $BIG_SUBNET, -- the server's public IPs form an actual linear *range* $PUB_IP_RANGE, -- the wildcard "e+" (or "enp0s3+" or whatever) matches the names of interfaces you want clients to be able to access and none of the others, and -- nobody and nothing anywhere else will have a need to look at the IP your VPN clients are SNATed to and tell whether they're using the "right" OpenVPN instance (e.g., we have public IPs assigned to only sysadmins, support personnel etc., including for when they VPN into the company, so that customers can rest assured that nobody from, say, our dev, sales or billing dpt.s can touch their system if they ACCEPT those IPs on their firewall). > Kind regards, Hello,Thank you so much again.You used some variables: $PORT1,$PORT2$BIG_SUBNET$PUB_IP_RANGE Above the iptables rules, I need to initialize them. Can I use "," sing between the values? For example: BIG_SUBNET = 10.8.1.0/16, 10.8.2.0/16 -- Jochen Bern Systemingenieur Binect GmbH _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
