search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.62k stars 2.37k forks source link

Multiple subnets with limited access #672

Closed aqos156 closed 2 years ago

aqos156 commented 2 years ago

Is there any way to configure this container to provide 2 subnets in this setup:

aqos156 commented 2 years ago

We have solved it by adding route and push "route for booth and client-to-client when generating config and after that adding these commands to ovpn_env.sh

iptables -A FORWARD -i tun0 -s 10.9.0.1/24 -j ACCEPT
iptables -A FORWARD -i tun0 -j DROP

This way clients from 8 are able to only communicate between themselves and from 9 are able to use the droplet as default gateway.

hppyworld commented 2 years ago

We have solved it by adding route and push "route for booth and client-to-client when generating config and after that adding these commands to ovpn_env.sh

iptables -A FORWARD -i tun0 -s 10.9.0.1/24 -j ACCEPT
iptables -A FORWARD -i tun0 -j DROP

This way clients from 8 are able to only communicate between themselves and from 9 are able to use the droplet as default gateway.

Thanks for suggestion. Can you please explain little bit more. Where exactly apply this rules inside docker container?

and can you please give complete example of multiple subnets with limited access? thanks.

aqos156 commented 2 years ago

@hppyworld

Firstly generate config

docker-compose run --rm openvpn ovpn_genconfig \
    -u udp://<<ovpnaddress>> \
    -s 10.10.0.0/16 \                                # Default server range
    -n "8.8.8.8" \                                   # DNS
    -r "10.10.0.0/16" \                              # Server route 10.10 range
    -r "10.11.0.0/16" \                              # Server route 10.11 range
    -p 'route 10.11.0.0 255.255.0.0' \               # Route 10.11 range on client devices
    -e "explicit-exit-notify 10" \ 
    -e "client-to-client"                            # Allow talking between clients

This will result in all clients being on the restricted 10.10.0.0/16 range by default.

ovpn_env.sh

Add this to the end of ovpn_env.sh. This setup allows crosstalk between 10.10 and 10.11 ranges, so you can ping 10.11.x.x from 10.10.x.x To disallow this would require some additional iptable rules I think.

  iptables -A FORWARD -i tun0 -s 10.11.0.0/16 -j ACCEPT # This allows packet forwarding on tun0 interface for the ip range
  iptables -A FORWARD -i tun0 -j DROP # This disables forwarding for all other ip ranges

Note: This is env file generated by the genconfig script. You can run into problems if you want to change the config, because you should use the genconfig file, because it regenerates and changes the ovpn_env.sh -> I recommend that if you need to regenerate the config then always remove openvpn.conf and ovpn_env.sh files first.

CCD folders

Add client specific CCD files containing static ips, so for example I have clients:

ccd/bob

ifconfig-push 10.11.0.10 10.11.0.11

The two ips must be sequntial, because that's what ovpn wants to have. You can read on it more here, also this article contains some similar configuration.

hppyworld commented 2 years ago

@aqos156 Thanks for nice explanation. I was trying your solution, i am confuse at one point. I want to restrict

Can you please help how can i achieve this configuration. Thanks a lot for help.

aqos156 commented 2 years ago

@hppyworld well I'm not sure if it will work but you could add this iptables rule:

iptables -A OUTPUT -i tun0 -s 10.10.0.0/16 -d <<your_local_ip_range>> -j DROP

This rule will drop any packets from 10.10.0.0/16 range routed to <>. But the 10.10.0.0/16 must be the server default range, otherwise it will not work.

Why will it not work otherwise?

From what I found out using tcpdump the openvpn routes packets through tun0 interface only from it's default server range set by -s argument. Packets from other ranges (like 10.11.0.0/16 from my example) are not to be found anywhere. This means that you can only limit access on the default server range, others will remain unrestricted.

@kylemanna do you know anything about this? I think that this is not a problem of this image, but more a problem of OpenVPN

What to do else if you want to restrict cross-range talk?

OpenVpn

I'm not sure if enterprise edition can do anything about this. If you do not need high availability or specifically this image, then maybe try installing OpenVPN directly. But I wouldn't be surprised if even then the packets would not be routed/visible through the tun0 interface.

Wireguard

What is wireguard?

There are quite a lot of tools around wireguard that can do this and even more easily than with OpenVPN, but I have no hands-on experience with them. Some of these are:

If you are still unable to come up with a solution, then checkout https://selfhosted.show/ and it's discord channel (link is located in their navbar) and ask there if anybody has any solution to this. Let me know if you come up with anything :)

hppyworld commented 2 years ago

@aqos156 Thanks for help. I have also other solution to just run multiple instance of openvpn image for example Container 1 no lan Container 2 Lan

and then block container 1 access via firewall to local network. what do u think about this setup ?