On Fri, 20 Oct 2023 18:39:54 -0400, Bo Berglund <bo.bergl...@gmail.com> wrote:
>On Fri, 20 Oct 2023 22:12:18 +0200, Antonio Quartulli <a...@unstable.cc> wrote: > >>Hi, >> >>On 20/10/2023 21:35, Bo Berglund wrote: >>> What have I missed? >> >>Breaking your setup in mysterious ways is not going to help :-) >> >>As Gert pointed out, what you want to achieve requires configuring the >>firewall to prevent access to the LAN subnet. >> > >So you mean using the same service conf file as for the web + LAN operation, >but >with a different tunnel subnet and different port? > >That would allow LAN access. > >Then using IPTABLES blocking sucg LAN access for that tunnel range. > >I will make some new tests later and see if that is working. > >I am worried that if the destination happens to be the gateway to the internet, >like it would when browsing via the tunnel, will it be allowed??? > >I will see later, now heading out... Now I have tested by making a service conf copy of the web+local access server and changing the UDP port number and tunnel IP range but leaving all else the seame. Then I added the following to iptables: -A FORWARD -s 10.13.131.0/24 -d 10.0.1.0/24 -j DROP This seems to work fine, I can connect to the original service and access both local and web resources, but when I connect to the copied service with the other tunnel IP range I cannot reach the local resources but the web seems to be fine. So I guess I am done now! Thanks for helping out! -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
