LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-18-2011, 04:33 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
OpenVPN prevent sites from being accessed


Is there a way to prevent users of an OpenVPN service from accessing restricted sites?
I know this can be done through a proxy server but through a VPN there seems to be no way of preventing traffic from accessing porn sites or other as the traffic is encrypted.
I am using a VPN in the same fashion as a proxy server except that the VPN is necessary because some video sites use rtmp on port 1935, which a proxy server cannot route.
 
Old 04-18-2011, 05:06 AM   #2
droyden
Member
 
Registered: Feb 2007
Location: UK
Posts: 150

Rep: Reputation: 19
If you control the vpn then you could have an iptables ruleset on that interface.
 
Old 04-18-2011, 10:17 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
So, I would route VPN traffic to the proxy and log it on the proxy?
However, let's say I only wanted to allow ports 80, 1194, and 1935 on the VPN and on the proxy, how would I block all the other ports and make sure the client connects as normal? For example,
Email connects to myemail.net on port 110.
Firefox connects to www.google on port 80.
The client connects via VPN and traffic on port 80 is forwarded to the proxy server. What happens to the port 110 traffic? If I block it it will just drop, does this need a firewall on the client to direct it?
 
Old 04-19-2011, 04:54 AM   #4
droyden
Member
 
Registered: Feb 2007
Location: UK
Posts: 150

Rep: Reputation: 19
So as per example above you would want to push port 80 down the vpn and 110 through your normal connection?
 
Old 04-19-2011, 03:15 PM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by droyden View Post
So as per example above you would want to push port 80 down the vpn and 110 through your normal connection?
Yes, but doesn't the client have to divert that or can the server bounce port 110 back to the client and out the normal connection?
or is there something in the openvpn config?
 
Old 04-20-2011, 04:00 PM   #6
droyden
Member
 
Registered: Feb 2007
Location: UK
Posts: 150

Rep: Reputation: 19
Really not sure how you would do this, I dare say it must be possible but it probably won't be elegant! I imagine you would need to use the vpn without a gateway and then use iptables to dnat or route target.

http://netfilter.org/documentation/H...s-HOWTO-4.html

Probably need to do some man page reading I think!
 
Old 04-21-2011, 03:44 AM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by droyden View Post
Really not sure how you would do this, I dare say it must be possible but it probably won't be elegant! I imagine you would need to use the vpn without a gateway and then use iptables to dnat or route target.

http://netfilter.org/documentation/H...s-HOWTO-4.html

Probably need to do some man page reading I think!
I think I can forward the VPN onto a transparent proxy and the proxy can filter the web traffic.
I'm a bit worried that my VPN will be used by some dodgy people to encrypt their internet activities.

How does the client decide whether to route port 80 through the VPN but all other traffic through the normal ISP?

Last edited by qwertyjjj; 04-21-2011 at 03:50 AM.
 
Old 04-22-2011, 06:43 AM   #8
droyden
Member
 
Registered: Feb 2007
Location: UK
Posts: 150

Rep: Reputation: 19
If you force it through a transparent proxy and use somethign like squid you can add extra logging/auditing/reports on the squid logs..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client dgonzalezh Linux - Networking 6 07-18-2010 10:50 AM
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 03:20 AM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 03:42 AM
Error When converting Routing OpenVPN to bridge mode openvpn danmartinj Linux - Software 0 11-06-2009 10:23 AM
Logs of accessed sites per IP in NAT jeffvph Linux - Networking 1 12-04-2005 08:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration