userdoc:openvpn_access

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
userdoc:openvpn_access [2017/08/10 08:41] droemeluserdoc:openvpn_access [2017/08/10 08:43] (current) droemel
Line 10: Line 10:
  
   * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface" must **not** be checked!   * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface" must **not** be checked!
-  * The iptables rules should be put into "''/mnt/kd/arno-iptables-firewall/custom-rules''file into the ''FORWARD_CHAIN''.+  * The iptables rules should be put into ''/mnt/kd/arno-iptables-firewall/custom-rules'' file into the ''FORWARD_CHAIN''.
   * Because the limited users have still access to the Astlinux server itself, you could either   * Because the limited users have still access to the Astlinux server itself, you could either
-    * create a Firewall rule like "''Deny LAN->Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535''for each of the limited virtual subnets +    * create a Firewall rule like ''Deny LAN->Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535'' for each of the limited virtual subnets 
-    * or create another iptables rule: "''iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP''for each subnet +    * or create another iptables rule: ''iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP'' for each subnet 
-  * The easy way is to push the internal LAN route in the OpenVPN server config (//push route 192.168.3.0.255.255.255.0 in this case//). +  * The easy way is to push the internal LAN route in the OpenVPN server config (//push "route 192.168.3.0.255.255.255.0in this case//). 
-  * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like "''push "route 192.168.3.200"''", but in this case the "Employees Class" from the example wouldn't work, cause there is no file to include the routing.+  * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like ''push "route 192.168.3.200"'', but in this case the "Employees Class" from the example wouldn't work, cause there is no file to include the routing.
  
 === Examples === === Examples ===
Line 47: Line 47:
  
   ifconfig-push 10.8.1.1 10.8.1.2   ifconfig-push 10.8.1.1 10.8.1.2
-  ;push route 192.168.3.0 255.255.255.0+  ;push "route 192.168.3.0 255.255.255.0"
  
 **/mnt/kd/openvpn/ccd/contractor1** **/mnt/kd/openvpn/ccd/contractor1**
  • userdoc/openvpn_access.1502354506.txt.gz
  • Last modified: 2017/08/10 08:41
  • by droemel