Comments on: OpenVPN’s built-in packet filter

By: apollo13

apollo13 — Fri, 23 Jan 2015 17:52:14 +0000

In reply to Traffic. @Traffic: Can you be more specific? What doesn't work?

By: waldner

waldner — Thu, 08 Jan 2015 14:30:14 +0000

In reply to Traffic. Thanks for sharing.

By: waldner

waldner — Thu, 08 Jan 2015 14:29:22 +0000

In reply to Traffic. Well, if you use OpenVPN at layer 3, you can force packets through iptables, see here for example. At layer 2 instead (ie when using tap) you can either use the internal packet filter as described here, or use the new proxy_arp_pvlan feature as described here (I haven't tried it, but the OP said it worked).

By: Traffic

Traffic — Wed, 07 Jan 2015 17:49:32 +0000

In reply to waldner. After extensive testing (Openvpn 2.3.6 gnu linux) --management-client-pf is still not implemented correctly. Do _not_ use --management-client-pf at this time to use this plugin successfully.

By: Traffic

Traffic — Wed, 07 Jan 2015 17:39:33 +0000

On the OpenVPN server, when using --client-to-client, intra-client packets do not pass through iptables and so cannot be filtered on a server by iptables .. If you run multiple servers instances on the same machine then packets from one server IP to another (eg: c1 on s1:10.8.0.0/24 -> c1 on s2:10.9.0.0/24) will be filtered by iptables .. but not clients on the same server instance.
Which is probably with this filter mechanism was introduced.