[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Iptables: match by OpenVPN client IP address rather than source address?


  • Subject: Re: [Openvpn-users] Iptables: match by OpenVPN client IP address rather than source address?
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Mon, 15 Jan 2007 16:02:02 +0000

Serge

Serge Wautier wrote:
> Env.: openVPN 2.0.6 TLS server mode, routed, TUN. Ubuntu 6.06 Server.
> 
> Hi All,
> 
> With iptables, is it possible to match packets coming in through a given OpenVPN client connection?
> (Part of) My problem is that there is a LAN behind some of my OpenVPN clients and I don't know these LAN addresses. Hence I can't use iptable -s a.b.c.d/x since I don't know a.b.c.d.
> Still I need to perform some filtering based on the OpenVPN client the packet is coming through. Can iptables be used to lookup the OpenVPN client IP used to enter the VPN? (I control the VPN Ips using a client-connect script).
> 
If you don't know the addresses behind your clients you won't be able to
route packets there, so I doubt you will accept connections from there,
as you will never be able to sucessfully send a SYN-ACK packet.

Do your clients announce the network behind themselves? How can you be
sure the clients won't masquerade the packets coming from the local LAN?

cheers

Erich
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users