Hello developers and users,
I'm trying to get inspiration from the HOW-TO
https://openvpn.net/community-resources/how-to/#configuring-client-specific-rules-and-access-policies,
which is based on the net30 topology, and adapt it to the subnet topology.
I've prepared a small PoC and everything seems to work as I expect and
without any problems.
Please, can you take a look at the configuration snippets below to see if
there is any logical error in it and whether it will really work flawlessly
this way?
*- create and configure TUN interfaces using NetworkManager, including all
IP addresses that will serve as default gateways for different classes of
users inside the VPN tunel:*
# nmcli connection add type tun tun.mode tun autoconnect yes con-name tun0
ipv4.addresses 172.17.17.1/24 +ipv4.addresses 172.17.18.1/24 ipv4.method
manual ipv6.method disabled ifname tun0
# ip address show dev tun0
95: tun0: <*NO-CARRIER*,POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc
fq_codel state *DOWN* group default qlen 500
link/none
inet 172.17.17.1/24 brd 172.17.17.255 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet 172.17.18.1/24 brd 172.17.18.255 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
*- OpenVPN server configuration without directives like ifconfig and server
and without ifconfig-pool:*
# cat server.conf
local AA.BB.CC.DD
proto udp
port 1194
dev tun0
mode server
topology subnet
tls-server
tls-auth tlsauth.key 0
tls-verify "/etc/openvpn/scripts/openvpn-client-verify.pl
allowed-clients.conf"
dh dh2048.pem
remote-cert-tls client
pkcs12 server.p12
client-config-dir ccd
ccd-exclusive
push "topology subnet"
user openvpn
group openvpn
keepalive 10 30
persist-key
persist-remote-ip
persist-tun
script-security 2
*- specific configuration for the first (n-th) user from the Employee role:*
# cat ccd/user-role-employee-1
ifconfig-push 172.17.17.50 255.255.255.0
push "route-gateway 172.17.17.1"
*- specific configuration for the first (n-th) user from the System
Administrator role:*
# cat ccd/user-role-admin-1
ifconfig-push 172.17.18.51 255.255.255.0
push "route-gateway 172.17.18.1"
*- start OpenVPN server and the status of the tun0 interface after:*
# systemctl start openvpn-server.service
# ip address show dev tun0
95: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,*LOWER_UP*> mtu 1500 qdisc
fq_codel state *UP* group default qlen 500
link/none
inet 172.17.17.1/24 brd 172.17.17.255 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet 172.17.18.1/24 brd 172.17.18.255 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
# ip -d link show tun0
95: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP mode DEFAULT group default qlen 500
link/none promiscuity 0 allmulti 0 minmtu 68 maxmtu 65535
tun type tun pi off vnet_hdr off persist on numtxqueues 1 numrxqueues 1
gso_max_size 65536 gso_max_segs 65535 tso_max_size 65536 tso_max_segs 65535
gro_max_size 65536 gso_ipv4_max_size 65536 gro_ipv4_max_size 65536
# ip route show dev tun0
172.17.17.0/24 proto kernel scope link src 172.17.17.1 metric 450
172.17.18.0/24 proto kernel scope link src 172.17.18.1 metric 450
*- REJECT communication/traffic between individual OpenVPN clients:*
# iptables -I FORWARD -i tun+ -o tun+ -m state --state NEW -j REJECT
*- specific firewalling rules for the Employee role, e.g.:*
# iptables -A FORWARD -i tun0 -o enp6s19 -s 172.17.17.0/24 -d
192.168.17.0/24 -p tcp -m multiport --sports 80,443 -m state --state NEW -j
ACCEPT
...
*- specific firewalling rules for the System Administrator role, e.g.:*
# iptables -A FORWARD -i tun0 -o enp6s19 -s 172.17.18.0/24 -d 192.168.0.0/16
-p tcp -m multiport --sports 80,443 -m state --state NEW -j ACCEPT
...
There is certainly room for improvement in the configuration, but I am
primarily concerned with the combination of configuring the TUN interface
using NetworkManager and configuring the OpenVPN server together with CCD
files or with some client-connect/client-disconnect scripts. But I'm
certainly not opposed to any suggestions for improvement.
Thank you very much in advance for your time, advice and comments.
With best regards
--
Karel Ziegler
e-mail: ziegl...@gmail.com
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
