[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Access Control Delima


  • Subject: Re: [Openvpn-users] Access Control Delima
  • From: "Thomas Domingo Dahlmann" <domingo@xxxxxxxxxx>
  • Date: Wed, 11 Jan 2006 08:10:47 +0100 (CET)

Hi Seather

Fwbuilder is your friend (www.fwbuilder.org). Handling iptables on the cli
is not my favorite so fwbuilder is the gui alternative and it is quite
good, easy to install and easy to use.

If you would like to know iptables you just look into the script fwbuilder
generates.


/Domingo

On Wed, January 11, 2006 02:33, Seather wrote:
>

> Leonard Isham wrote:
>
>
>> On 1/10/06, Seather <seather@xxxxxxxxxxxxx> wrote:
>>
>>
>>
>>> Hi there everyone,
>>>
>>>
>>> I have followed the OpenVPN 2.0 howto on the website and set up a
>>> routed VPN. The purpose of this VPN is to put all of the servers I
>>> administrate on (some can only be accessed through vpn since they on
>>> insides of networks where admins refuse to forward ports). For the
>>> occasional login, pings for status checkups with nagios, et cetera.
>>>
>>> I have enabled the "client-to-client" option in the server's
>>> configuration file, so all clients can access all clients. However
>>> this is not how I want it. This is an example of the setup (star
>>> topology):
>>>
>>>
>>> Desktop                Laptop
>>>
>>>
>>>
>>> VPN Server
>>>
>>>
>>>
>>> Box1       Box2       Box3      Box4
>>>
>>>
>>>
>>> I'd like Desktop, Laptop and VPN Server to have access to any of the
>>> vpn clients and vpn server. I'd like Box1 .. Box4 be able to talk to
>>> the VPN Server and vice versa, but not have access to any other client
>>> in the vpn. In other words, Box1 must not be able to connect to Box2
>>> and so forth.
>>>
>>> A better way of explaining might be this:
>>>
>>>
>>> For Box1 to Box4, I'd like the VPN to behave as if "client-to-client"
>>> is not enabled For Desktop, Laptop, I'd like the VPN to behave as if
>>> "client-to-client"
>>> is enabled
>>>
>>> Unfortunately I have no idea on how to accomplish this at all. Should
>>> it be firewall, routing or configuration issues? I'd prefer to have
>>> this access idea controlled from the server.
>>>
>>> Anyone that can please point me in the right direction?
>>>
>>>
>>>
>>>
>>
>> Disable client-to-client is is all or nothing.
>>
>>
>> Use both:
>> client-config-dir dir : Directory for custom client config files.
>> ccd-exclusive : Refuse connection unless custom client config is found.
>>
>>
>> Assign IP addresses in the configuration files and use iptables to
>> restrict access.  If your server happens to be Windows I'd recommend
>> Linux.
>>
>>
>>
> Thanks a lot, I have all the clients' ip addresses now configured (this
> is a linux server), but still don't know how to do the iptables on this.
> Could you perhaps advise on that? I do have some iptables experience.
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems?  Stop!  Download the new AJAX search engine that makes
>  searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
> !DSPAM:43c45bbe201441462020992!
>
>
> --
> This mail was scanned by AntiVir MailGate.
> This product is licensed for non-commercial use.
> See http://www.antivir.de/ for details.
>
>


-- 
This mail was scanned by AntiVir MailGate.
This product is licensed for non-commercial use.
See http://www.antivir.de/ for details.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users