Comments on: Controlling client-to-client connections in OpenVPN

By: cesar daniel

cesar daniel — Sun, 28 Feb 2016 01:03:19 +0000

Gracias, este articulo es exactamente lo que estaba buscado, excelente trabajo.
thanks, this article was exactly what I was looking for, great job

By: waldner

waldner — Wed, 10 Sep 2014 22:01:04 +0000

In reply to OderWat. 1. Right, IP forwarding is not mentioned explicitly, although the fact that the TTL is decremented and that iptables rules are in the FORWARD chain should hint in that direction, but it's always better to be clear, so thanks for pointing that out. 2. This is a bit strange, "client-to-client" should have no effect on the routes that the client installs, which should be determined only by 'push "route ...."' statements in the server config and 'route ....' statements in the client config, at least when using "topology subnet" (which is what should be used anyway).

By: OderWat

OderWat — Tue, 09 Sep 2014 15:49:28 +0000

I know this entry is pretty old even so it helped me a lot configuring my vpn so that just selected client can talk to each other. most of them can only see one machine besides the server. But I had problems which are not mentioned here: 1. I needed to enable ip forwarding (this may be obvious but I thought first it would word without because it is in the same network) 2. After removing "client-to-client" the clients had no routes for the other ips in the network anymore. I solved that by adding 'push "route 10.x.0.0 255.255.255.0"' into the openvpn server config. which seems to work. I am not sure if that is the right/best solution though.

By: waldner

waldner — Fri, 21 Sep 2012 07:52:37 +0000

In reply to Applewaite.

For the VPN clients to reach the internet (I guess through your VPN gateway) you have to do a few things.

First, the VPN clients need to install a route (to the whole Internet or whatever) pointing to the VPN gateway. Depending on the route you want them to have, this can be achieved by pushing one or more specific routes to the clients, or directly pushing "redirect-gateway" (if you use this one, I suggest you also use the "def1" flag - the man has all the details). This is done by editing the VPN server config.
Second, you'll want to NAT the traffic received from the VPN calient and going to the Internet, so you need something like

iptables -t nat -A POSTROUTING -o eth1 -s 172.25.90.0/24 -j MASQUERADE

where eth1 is the Internet-facing interface on the VPN gateway. Of course, you'll also need to enable IP forwarding and allow this traffic in the FORWARD chain (if you're not doing it already).

See this page for some examples: http://community.openvpn.net/openvpn/wiki/BridgingAndRouting

By: Applewaite

Applewaite — Fri, 21 Sep 2012 03:57:37 +0000

In reply to waldner.

What I am trying to achieve is

1/
blocking the vpn network from seeing the LAN,

2/
stop a vpn client from seeing another vpn client.

3/
Vpn clients can talk to the internet.

4/
LAN clients cannot see the vpn clients.

I've put together these rules. They are the ones I settled on after a number of combinations, and was sure they should work, I can't see why they don't as I am not achieving #3, only all the rest.

172.25.90.0 = VPN Network

iptables -A FORWARD --dst 172.25.90.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD --dst 10.0.0.0/8 -j DROP
iptables -A FORWARD --dst 172.16.0.0/12 -j DROP
iptables -A FORWARD --dst 192.168.0.0/16 -j DROP
iptables -A FORWARD --src 172.25.90.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j DROP