Closed aqos156 closed 2 years ago
We have solved it by adding route
and push "route
for booth and client-to-client
when generating config and after that adding these commands to ovpn_env.sh
iptables -A FORWARD -i tun0 -s 10.9.0.1/24 -j ACCEPT
iptables -A FORWARD -i tun0 -j DROP
This way clients from 8
are able to only communicate between themselves and from 9
are able to use the droplet as default gateway.
We have solved it by adding
route
andpush "route
for booth andclient-to-client
when generating config and after that adding these commands to ovpn_env.shiptables -A FORWARD -i tun0 -s 10.9.0.1/24 -j ACCEPT iptables -A FORWARD -i tun0 -j DROP
This way clients from
8
are able to only communicate between themselves and from9
are able to use the droplet as default gateway.
Thanks for suggestion. Can you please explain little bit more. Where exactly apply this rules inside docker container?
and can you please give complete example of multiple subnets with limited access? thanks.
@hppyworld
docker-compose run --rm openvpn ovpn_genconfig \
-u udp://<<ovpnaddress>> \
-s 10.10.0.0/16 \ # Default server range
-n "8.8.8.8" \ # DNS
-r "10.10.0.0/16" \ # Server route 10.10 range
-r "10.11.0.0/16" \ # Server route 10.11 range
-p 'route 10.11.0.0 255.255.0.0' \ # Route 10.11 range on client devices
-e "explicit-exit-notify 10" \
-e "client-to-client" # Allow talking between clients
This will result in all clients being on the restricted 10.10.0.0/16
range by default.
Add this to the end of ovpn_env.sh
. This setup allows crosstalk between 10.10 and 10.11 ranges, so you can ping 10.11.x.x from 10.10.x.x To disallow this would require some additional iptable rules I think.
iptables -A FORWARD -i tun0 -s 10.11.0.0/16 -j ACCEPT # This allows packet forwarding on tun0 interface for the ip range
iptables -A FORWARD -i tun0 -j DROP # This disables forwarding for all other ip ranges
Note: This is env file generated by the genconfig script. You can run into problems if you want to change the config, because you should use the genconfig file, because it regenerates and changes the ovpn_env.sh -> I recommend that if you need to regenerate the config then always remove
openvpn.conf
andovpn_env.sh
files first.
Add client specific CCD files containing static ips, so for example I have clients:
ifconfig-push 10.11.0.10 10.11.0.11
The two ips must be sequntial, because that's what ovpn wants to have. You can read on it more here, also this article contains some similar configuration.
@aqos156 Thanks for nice explanation. I was trying your solution, i am confuse at one point. I want to restrict
Can you please help how can i achieve this configuration. Thanks a lot for help.
@hppyworld well I'm not sure if it will work but you could add this iptables rule:
iptables -A OUTPUT -i tun0 -s 10.10.0.0/16 -d <<your_local_ip_range>> -j DROP
This rule will drop any packets from 10.10.0.0/16 range routed to <
From what I found out using tcpdump
the openvpn routes packets through tun0
interface only from it's default server range set by -s
argument. Packets from other ranges (like 10.11.0.0/16 from my example) are not to be found anywhere. This means that you can only limit access on the default server range, others will remain unrestricted.
@kylemanna do you know anything about this? I think that this is not a problem of this image, but more a problem of OpenVPN
I'm not sure if enterprise edition can do anything about this. If you do not need high availability or specifically this image, then maybe try installing OpenVPN directly. But I wouldn't be surprised if even then the packets would not be routed/visible through the tun0 interface.
There are quite a lot of tools around wireguard that can do this and even more easily than with OpenVPN, but I have no hands-on experience with them. Some of these are:
If you are still unable to come up with a solution, then checkout https://selfhosted.show/ and it's discord channel (link is located in their navbar) and ask there if anybody has any solution to this. Let me know if you come up with anything :)
@aqos156 Thanks for help. I have also other solution to just run multiple instance of openvpn image for example Container 1 no lan Container 2 Lan
and then block container 1 access via firewall to local network. what do u think about this setup ?
Is there any way to configure this container to provide 2 subnets in this setup:
10.8.0.1/24
- dynamically assigned to clients and only access to other clients in this subnet, no ability to route all traffic through the VPN10.9.0.1/24
- statically assigned to clients and access to everything -> other local ip ranges and also possibly access to 10.8.0.1/24, ability to route all traffic through vpn