OpenVPN prevent sites from being accessed

qwertyjjj · 04-18-2011, 03:33 AM

Is there a way to prevent users of an OpenVPN service from accessing restricted sites?
I know this can be done through a proxy server but through a VPN there seems to be no way of preventing traffic from accessing porn sites or other as the traffic is encrypted.
I am using a VPN in the same fashion as a proxy server except that the VPN is necessary because some video sites use rtmp on port 1935, which a proxy server cannot route.

droyden · 04-18-2011, 04:06 AM

If you control the vpn then you could have an iptables ruleset on that interface.

qwertyjjj · 04-18-2011, 09:17 AM

So, I would route VPN traffic to the proxy and log it on the proxy?
However, let's say I only wanted to allow ports 80, 1194, and 1935 on the VPN and on the proxy, how would I block all the other ports and make sure the client connects as normal? For example,
Email connects to myemail.net on port 110.
Firefox connects to www.google on port 80.
The client connects via VPN and traffic on port 80 is forwarded to the proxy server. What happens to the port 110 traffic? If I block it it will just drop, does this need a firewall on the client to direct it?

droyden · 04-19-2011, 03:54 AM

So as per example above you would want to push port 80 down the vpn and 110 through your normal connection?

qwertyjjj · 04-19-2011, 02:15 PM

Quote:

Originally Posted by droyden

So as per example above you would want to push port 80 down the vpn and 110 through your normal connection?

Yes, but doesn't the client have to divert that or can the server bounce port 110 back to the client and out the normal connection?
or is there something in the openvpn config?

droyden · 04-20-2011, 03:00 PM

Really not sure how you would do this, I dare say it must be possible but it probably won't be elegant! I imagine you would need to use the vpn without a gateway and then use iptables to dnat or route target.

http://netfilter.org/documentation/H...s-HOWTO-4.html

Probably need to do some man page reading I think!

qwertyjjj · 04-21-2011, 02:44 AM

Quote:

Originally Posted by droyden

Really not sure how you would do this, I dare say it must be possible but it probably won't be elegant! I imagine you would need to use the vpn without a gateway and then use iptables to dnat or route target.

http://netfilter.org/documentation/H...s-HOWTO-4.html

Probably need to do some man page reading I think!

I think I can forward the VPN onto a transparent proxy and the proxy can filter the web traffic.
I'm a bit worried that my VPN will be used by some dodgy people to encrypt their internet activities.

How does the client decide whether to route port 80 through the VPN but all other traffic through the normal ISP?

droyden · 04-22-2011, 05:43 AM

If you force it through a transparent proxy and use somethign like squid you can add extra logging/auditing/reports on the squid logs..