[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Access Control Delima

  • Subject: Re: [Openvpn-users] Access Control Delima
  • From: "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 11 Jan 2006 07:13:07 -0500

On Wed, 2006-01-11 at 02:41 +0200, Seather wrote:
> Hi there everyone,
> I have followed the OpenVPN 2.0 howto on the website and set up a routed 
> VPN. The purpose of this VPN is to put all of the servers I administrate 
> on (some can only be accessed through vpn since they on insides of 
> networks where admins refuse to forward ports). For the occasional 
> login, pings for status checkups with nagios, et cetera.
> I have enabled the "client-to-client" option in the server's 
> configuration file, so all clients can access all clients. However this 
> is not how I want it. This is an example of the setup (star topology):
>    Desktop                Laptop
>              VPN Server
> Box1       Box2       Box3      Box4
> I'd like Desktop, Laptop and VPN Server to have access to any of the vpn 
> clients and vpn server.
> I'd like Box1 .. Box4 be able to talk to the VPN Server and vice versa, 
> but not have access to any other client in the vpn. In other words, Box1 
> must not be able to connect to Box2 and so forth.
> A better way of explaining might be this:
> For Box1 to Box4, I'd like the VPN to behave as if "client-to-client" is 
> not enabled
> For Desktop, Laptop, I'd like the VPN to behave as if "client-to-client" 
> is enabled
> Unfortunately I have no idea on how to accomplish this at all. Should it 
> be firewall, routing or configuration issues? I'd prefer to have this 
> access idea controlled from the server.
> Anyone that can please point me in the right direction?
This is a very common scenario for our work on the ISCS network security
management project (http://iscs.sourceforge.net).  In fact, it was
designed to manage very complex combinations of inter/intra office and
remote access security.  Although it is not yet finished, you can use
its principles (and even its existing pre-alpha interface) to solve your

This approach eliminates the need to static iptables rules.  The ISCS
dynamically adapts the access control rules based upon the DN of the
user's certificate.  This way, you can control access in a highly
granular fashion (Box1 has access to VPN server and Box2, Box2 has
access only to VPN server, Laptop has access to Boxes 1,2 and 4, etc.)
but without having to set client specific addresses.

The documentation and scripts are in the CVS although I have not yet
uploaded the adaptations for OpenVPN.  They dynamic access control
scripts were also recently featured in a TechRepublic article on
creative bash scripting.  If you are interested, I can post the scripts
but the full explanation is in the CVS.  Good luck - John
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880

Financially sustainable open source development

Openvpn-users mailing list