openvpn's document for client-to-client says:
When this option is used, each client will "see" the other
clients which are currently connected. Otherwise, each
client will only see the server. Don't use this option if
you want to firewall tunnel traffic using custom,
per-client rules.
You seem to be thinking that "routeback" will cause shorewall to enforce
policies on the vpn interface (which the openvpn docs indicate won't
work). But what routeback actually does is to (conditionally) *allow*
something that's not allowed by default.
On Thu, Nov 28, 2024 at 06:47:47AM +0000, simonseys via Shorewall-users wrote:
> Hi. I am using Shorewall 5.2.8 on Debian Bookworm. I'm building a system to
> act as a VPN server in a hub and spoke topology where the clients connect to
> the sever and Shorewall is used to selectively allow traffic between clients.
> Therefore I am using routeback for my vpn tun interface.
>
> At first glance it seems to work and the clients can ping each other. But I
> found that Shorewall rules have no impact on traffic when routeback is added.
> I tested this by adding a rule to reject traffic from a specific system to
> another specific system. But it cannot reject/drop the traffic. Without
> routeback I of course get sfilter drop messages in the logs.
>
> So basically routeback is behaving like client-to-client would allowing
> inter-client communication unfettered by Shorewall. Why is routeback not
> having the desired effect of allowing me firewall traffic that is arriving
> and leaving on my vpn zone interface?
--
Justin Pryzby
System Administrator
Telsasoft
+1-952-707-8581
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
