What I would like to do is, lets say... 5 client devices auto openvpn into my cloud server (always on tech support devices at my clients). I have this part done.

I'm not an iptables network expert here and need help. Right now the server and connected clients can all access each other back and forth which is a security problem.

I'd like to setup iptables so it's like a NAT to where the server can access the clients, but the clients can't access the server or each other. I don't want them sharing internet traffic with my cloud server also in case it's making client web traffic go through my cloud for some reason (like a general vpn for secure internet browsing), but I think it's not. I just want to make sure I always have access to these device from my cloud server (ssh, file transfers of backups, viewing remote client logs, etc), but the clients don't have access to the server or each other.

The other part to this is I want to be able to client vpn myself from Windows into cloud vpn server and not be blocked from using putty to ssh into the clients. So my 10.8.0.2 (whatever my client IP is at the time) IP would be unblocked I guess is how it's done.

OpenVPN subnet is 10.8.0.1-xxx

============== /etc/openvpn/server.conf ===============
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

======================= openvpn_client.ovpn =========================
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3

Was able to figure out after finding about "net30" options and reading up more on networking. Posting how I got this working in case helps others.

The issue is that all client were on the same subnet and I was trying to find iptable rules to block them. I didn't know you could have OpenVpn assign clients in different subnets /30. I found if you change "topology subnet" to "topology net30" each client will be separate, but client and talk to server and no one else. I can then do iptable rules to bridge subnets together if needed (which I'm learning next).

I keep reading how net30 was an option to fix an issues with Windows, but I hope stays as an option since now I've read it's not recommended anymore. Well if I want each client on /30 subnet, then this seems the only way to go. Works just fine so far and hope it stays an option.

nano /etc/openvpn/server.conf

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology net30
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem