Hello developers and users, would anyone be so kind as to review the configuration from the previous email?
Thank you very much in advance and have a nice day -- Karel Ziegler On Wed, Feb 19, 2025 at 11:38 AM kAja Ziegler <ziegl...@gmail.com> wrote: > Hello developers and users, > > I'm trying to get inspiration from the HOW-TO > https://openvpn.net/community-resources/how-to/#configuring-client-specific-rules-and-access-policies, > which is based on the net30 topology, and adapt it to the subnet topology. > > I've prepared a small PoC and everything seems to work as I expect and > without any problems. > > Please, can you take a look at the configuration snippets below to see if > there is any logical error in it and whether it will really work flawlessly > this way? > > > *- create and configure TUN interfaces using NetworkManager, including all > IP addresses that will serve as default gateways for different classes of > users inside the VPN tunel:* > > # nmcli connection add type tun tun.mode tun autoconnect yes con-name tun0 > ipv4.addresses 172.17.17.1/24 +ipv4.addresses 172.17.18.1/24 ipv4.method > manual ipv6.method disabled ifname tun0 > > # ip address show dev tun0 > 95: tun0: <*NO-CARRIER*,POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc > fq_codel state *DOWN* group default qlen 500 > link/none > inet 172.17.17.1/24 brd 172.17.17.255 scope global noprefixroute tun0 > valid_lft forever preferred_lft forever > inet 172.17.18.1/24 brd 172.17.18.255 scope global noprefixroute tun0 > valid_lft forever preferred_lft forever > > > *- OpenVPN server configuration without directives like ifconfig and > server and without ifconfig-pool:* > # cat server.conf > local AA.BB.CC.DD > > proto udp > port 1194 > > dev tun0 > > mode server > topology subnet > > tls-server > tls-auth tlsauth.key 0 > tls-verify "/etc/openvpn/scripts/openvpn-client-verify.pl > allowed-clients.conf" > dh dh2048.pem > > remote-cert-tls client > > pkcs12 server.p12 > > client-config-dir ccd > ccd-exclusive > > push "topology subnet" > > user openvpn > group openvpn > > keepalive 10 30 > > persist-key > persist-remote-ip > persist-tun > > script-security 2 > > *- specific configuration for the first (n-th) user from the Employee > role:* > # cat ccd/user-role-employee-1 > ifconfig-push 172.17.17.50 255.255.255.0 > push "route-gateway 172.17.17.1" > > *- specific configuration for the first (n-th) user from the System > Administrator role:* > # cat ccd/user-role-admin-1 > ifconfig-push 172.17.18.51 255.255.255.0 > push "route-gateway 172.17.18.1" > > > *- start OpenVPN server and the status of the tun0 interface after:* > > # systemctl start openvpn-server.service > > # ip address show dev tun0 > 95: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,*LOWER_UP*> mtu 1500 qdisc > fq_codel state *UP* group default qlen 500 > link/none > inet 172.17.17.1/24 brd 172.17.17.255 scope global noprefixroute tun0 > valid_lft forever preferred_lft forever > inet 172.17.18.1/24 brd 172.17.18.255 scope global noprefixroute tun0 > valid_lft forever preferred_lft forever > > # ip -d link show tun0 > 95: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc > fq_codel state UP mode DEFAULT group default qlen 500 > link/none promiscuity 0 allmulti 0 minmtu 68 maxmtu 65535 > tun type tun pi off vnet_hdr off persist on numtxqueues 1 numrxqueues > 1 gso_max_size 65536 gso_max_segs 65535 tso_max_size 65536 tso_max_segs > 65535 gro_max_size 65536 gso_ipv4_max_size 65536 gro_ipv4_max_size 65536 > > # ip route show dev tun0 > 172.17.17.0/24 proto kernel scope link src 172.17.17.1 metric 450 > 172.17.18.0/24 proto kernel scope link src 172.17.18.1 metric 450 > > > *- REJECT communication/traffic between individual OpenVPN clients:* > # iptables -I FORWARD -i tun+ -o tun+ -m state --state NEW -j REJECT > > *- specific firewalling rules for the Employee role, e.g.:* > # iptables -A FORWARD -i tun0 -o enp6s19 -s 172.17.17.0/24 -d > 192.168.17.0/24 -p tcp -m multiport --sports 80,443 -m state --state NEW > -j ACCEPT > ... > > *- specific firewalling rules for the System Administrator role, e.g.:* > # iptables -A FORWARD -i tun0 -o enp6s19 -s 172.17.18.0/24 -d > 192.168.0.0/16 -p tcp -m multiport --sports 80,443 -m state --state NEW > -j ACCEPT > ... > > > There is certainly room for improvement in the configuration, but I am > primarily concerned with the combination of configuring the TUN interface > using NetworkManager and configuring the OpenVPN server together with CCD > files or with some client-connect/client-disconnect scripts. But I'm > certainly not opposed to any suggestions for improvement. > > Thank you very much in advance for your time, advice and comments. > > With best regards > -- > Karel Ziegler > > e-mail: ziegl...@gmail.com > >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
