Hi,
I have a remote device which runs openvpn clients and is connects to my wokrplace OpenVPN server side (the interface implementation is TUN) and on the server side
client-to-client and
server-bridge is enabled in server side.
The openvpn server uses using tun21 device and the tun21 IP address is
10.8.0.1/255.255.255.0
The client side openvpn interface gets static ip address 10.8.0.101/255.255.255.0 (connects via tun11) from openvpns server.
Infact the open vpn server is running on a Tomato router that has several physical and virtual interfaces.
Following is the server side (Tomato router) interfaces:
br0 Link encap:Ethernet HWaddr BC:XX:7B:XXB:TT
inet addr:192.168.4.7 Bcast:192.168.4.255 Mask:255.255.255.0
tun21 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
vlan2 Link encap:Ethernet HWaddr 11:EE:7B:ZZ:YY:FF
inet addr:192.168.10.13 Bcast:192.168.10.255 Mask:255.255.255.0
The workplace internet connection (the only network cable that is connected to the OpenVPN server is to the WAN of tomato router).
The work place subnet is in range 192.168.10.0/24 and the LAN of Tomato router is 192.168.4.0/24 and the work place gives a static ip address 192.168.10.13 to the WAN port of the tomato router.
The problem is the openvpn client (with CommonName (CN) client_remote) can access to workplace subnet 192.168.10.0/24 without any restriction.
I want to block the access to workplace network (192.168.10.0/24) for all clients that their IP address are in range 192.168.42.0/24 and/or their clien VPN IF static IP is in range 10.8.0.101-10.8.0.121
I prefer not to take out
server-bridge or
client-to-client options (Since there are a huge number of clients that must have access to each other and evern workplace network - but very few with restricted access)
I am not sure if I have to use
ebtables or
iptables and what command I have to add in my firewall scripts.
Thanks in advance