====== OpenVPN Access Policies ====== === Configuring client-specific rules and access policies === Here is a good howto for this: https://openvpn.net/index.php/open-source/documentation/howto.html#policy Additionally in AstLinux the following must be done: * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface" must **not** be checked! * The iptables rules should be put into ''/mnt/kd/arno-iptables-firewall/custom-rules'' file into the ''FORWARD_CHAIN''. * Because the limited users have still access to the Astlinux server itself, you could either * create a Firewall rule like ''Deny LAN->Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535'' for each of the limited virtual subnets * or create another iptables rule: ''iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP'' for each subnet * The easy way is to push the internal LAN route in the OpenVPN server config (//push "route 192.168.3.0.255.255.255.0" in this case//). * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like ''push "route 192.168.3.200"'', but in this case the "Employees Class" from the example wouldn't work, cause there is no file to include the routing. === Examples === ** OpenVPN Server Config ** \\ \\ {{userdoc:openvpn-policies.png?nolink|OpenVPN Policies}} \\ !!Note:!! It is very important that Topology "Use Default" is used and NOT "Subnet"! **/mnt/kd/arno-iptables-firewall/custom-rules** # Put any custom (iptables) rules here down below: ################################################## # Employee rule iptables -A FORWARD_CHAIN -i tun0 -s 10.8.0.0/24 -d 192.168.3.100 -j ACCEPT iptables -A INT_INPUT_CHAIN -s 10.8.0.0/24 -j DROP # Sysadmin rule iptables -A FORWARD_CHAIN -i tun0 -s 10.8.1.0/24 -d 192.168.3.0/24 -j ACCEPT # Contractor1 rule iptables -A FORWARD_CHAIN -i tun0 -s 10.8.2.0/24 -d 192.168.3.200 -j ACCEPT iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP **/mnt/kd/openvpn/ccd/sysadmin** ifconfig-push 10.8.1.1 10.8.1.2 ;push "route 192.168.3.0 255.255.255.0" **/mnt/kd/openvpn/ccd/contractor1** ifconfig-push 10.8.2.1 10.8.2.2 ;push route 192.168.3.200 The "push route ..." commands are optional (without the ";")(see above)