LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   iptables question with OpenVPN (tun0 to tun0 filtering) (https://www.linuxquestions.org/questions/linux-server-73/iptables-question-with-openvpn-tun0-to-tun0-filtering-757715/)

fang0654 09-25-2009 08:59 AM

iptables question with OpenVPN (tun0 to tun0 filtering)
 
I've got a (hopefully) simple question.

I've got an OpenVPN Server, running with various subnets, working perfectly.

What I'm trying to do is block traffic going from VPN Subnet A to VPN Subnet B. I've been able to restrict traffic to the local LAN hosting the VPN server using rules in the FORWARD chain. I can't seem to find a way to control what is routing through the tun0 interface, though.

It is almost as if the tunnel to tunnel routing isn't even going through OpenVPN.

I've set the default policy on FORWARD to DROP, and have been able to block access to the internal lan, but I can still ping client to client. I know just commenting out client-to-client in the server.conf for openvpn will work, but I want to have SOME client to client communication, just not all.

Any recommendations?

deadeyes 09-29-2009 08:28 AM

Quote:

Originally Posted by fang0654 (Post 3696793)
I've got a (hopefully) simple question.

I've got an OpenVPN Server, running with various subnets, working perfectly.

What I'm trying to do is block traffic going from VPN Subnet A to VPN Subnet B. I've been able to restrict traffic to the local LAN hosting the VPN server using rules in the FORWARD chain. I can't seem to find a way to control what is routing through the tun0 interface, though.

It is almost as if the tunnel to tunnel routing isn't even going through OpenVPN.

I've set the default policy on FORWARD to DROP, and have been able to block access to the internal lan, but I can still ping client to client. I know just commenting out client-to-client in the server.conf for openvpn will work, but I want to have SOME client to client communication, just not all.

Any recommendations?

I am not sure what you mean.

You have a vpn server. 2 vpn clients (with a lan behind them) connect.
You should see the traffic on tun0 or similar interface. I would think you can control the traffic by using the tun0, tun1, ... interface in your iptables rules. Maybe it is useful to do a tcpdump to see what is passing with which ip addresses.

fang0654 09-29-2009 12:06 PM

Thanks for the response.

I found the problem. When you have that client-to-client directive enabled in the server.conf for openvpn, it actually doesn't route the traffic via the tun0 interface at all, so it never shows up in iptables (or tcpdump, for that matter). When I disabled the directive, then the traffic started getting routed via the interface, and I could control it with iptables.

deadeyes 09-30-2009 02:17 AM

Quote:

Originally Posted by fang0654 (Post 3700708)
Thanks for the response.

I found the problem. When you have that client-to-client directive enabled in the server.conf for openvpn, it actually doesn't route the traffic via the tun0 interface at all, so it never shows up in iptables (or tcpdump, for that matter). When I disabled the directive, then the traffic started getting routed via the interface, and I could control it with iptables.

Interesting... will keep that in mind when using OpenVPN :)

please do mark your thread as being solved with the thread tools


All times are GMT -5. The time now is 12:23 AM.