[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Access Control Delima

  • Subject: Re: [Openvpn-users] Access Control Delima
  • From: Seather <seather@xxxxxxxxxxxxx>
  • Date: Wed, 11 Jan 2006 03:33:48 +0200

Leonard Isham wrote:

On 1/10/06, Seather <seather@xxxxxxxxxxxxx> wrote:

Hi there everyone,

I have followed the OpenVPN 2.0 howto on the website and set up a routed
VPN. The purpose of this VPN is to put all of the servers I administrate
on (some can only be accessed through vpn since they on insides of
networks where admins refuse to forward ports). For the occasional
login, pings for status checkups with nagios, et cetera.

I have enabled the "client-to-client" option in the server's
configuration file, so all clients can access all clients. However this
is not how I want it. This is an example of the setup (star topology):

  Desktop                Laptop

VPN Server

Box1 Box2 Box3 Box4

I'd like Desktop, Laptop and VPN Server to have access to any of the vpn clients and vpn server. I'd like Box1 .. Box4 be able to talk to the VPN Server and vice versa, but not have access to any other client in the vpn. In other words, Box1 must not be able to connect to Box2 and so forth.

A better way of explaining might be this:

For Box1 to Box4, I'd like the VPN to behave as if "client-to-client" is
not enabled
For Desktop, Laptop, I'd like the VPN to behave as if "client-to-client"
is enabled

Unfortunately I have no idea on how to accomplish this at all. Should it
be firewall, routing or configuration issues? I'd prefer to have this
access idea controlled from the server.

Anyone that can please point me in the right direction?

Disable client-to-client is is all or nothing.

Use both:
client-config-dir dir : Directory for custom client config files.
ccd-exclusive : Refuse connection unless custom client config is found.

Assign IP addresses in the configuration files and use iptables to
restrict access. If your server happens to be Windows I'd recommend

Thanks a lot, I have all the clients' ip addresses now configured (this is a linux server), but still don't know how to do the iptables on this. Could you perhaps advise on that? I do have some iptables experience.

Openvpn-users mailing list