userdoc:openvpn_access

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
userdoc:openvpn_access [2014/11/17 10:07] droemeluserdoc:openvpn_access [2017/08/10 08:43] (current) droemel
Line 5: Line 5:
 Here is a good howto for this: Here is a good howto for this:
  
-http://openvpn.net/index.php/open-source/documentation/howto.html#policy+https://openvpn.net/index.php/open-source/documentation/howto.html#policy
  
 Additionally in AstLinux the following must be done:  Additionally in AstLinux the following must be done: 
  
   * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface" must **not** be checked!   * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface" must **not** be checked!
-  * The iptables rules should be put into "''/mnt/kd/arno-iptables-firewall/custom-rules''file into the ''FORWARD_CHAIN''.+  * The iptables rules should be put into ''/mnt/kd/arno-iptables-firewall/custom-rules'' file into the ''FORWARD_CHAIN''.
   * Because the limited users have still access to the Astlinux server itself, you could either   * Because the limited users have still access to the Astlinux server itself, you could either
-    * create a Firewall rule like "''Deny LAN->Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535''for each of the limited virtual subnets +    * create a Firewall rule like ''Deny LAN->Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535'' for each of the limited virtual subnets 
-    * or create another iptables rule: "''iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP''for each subnet +    * or create another iptables rule: ''iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP'' for each subnet 
-  * The easy way is to push the internal LAN route in the OpenVPN server config (//push route 192.168.3.0.255.255.255.0 in this case//). +  * The easy way is to push the internal LAN route in the OpenVPN server config (//push "route 192.168.3.0.255.255.255.0in this case//). 
-  * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like "''push route 192.168.3.200''", but in this case the "Employees Class" from the example wouldn't work, cause there is no file to include the routing.+  * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like ''push "route 192.168.3.200"'', but in this case the "Employees Class" from the example wouldn't work, cause there is no file to include the routing.
  
 === Examples === === Examples ===
Line 24: Line 24:
 {{userdoc:openvpn-policies.png?nolink|OpenVPN Policies}} {{userdoc:openvpn-policies.png?nolink|OpenVPN Policies}}
 \\  \\ 
 +
 +!!Note:!! It is very important that Topology "Use Default" is used and NOT "Subnet"!
  
 **/mnt/kd/arno-iptables-firewall/custom-rules** **/mnt/kd/arno-iptables-firewall/custom-rules**
Line 45: Line 47:
  
   ifconfig-push 10.8.1.1 10.8.1.2   ifconfig-push 10.8.1.1 10.8.1.2
-  ;push route 192.168.3.0 255.255.255.0+  ;push "route 192.168.3.0 255.255.255.0"
  
 **/mnt/kd/openvpn/ccd/contractor1** **/mnt/kd/openvpn/ccd/contractor1**
  • userdoc/openvpn_access.1416218847.txt.gz
  • Last modified: 2014/11/17 10:07
  • by droemel