Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
userdoc:openvpn_access [2017/08/10 03:41] droemel |
userdoc:openvpn_access [2017/08/10 03:43] (current) droemel |
||
---|---|---|---|
Line 10: | Line 10: | ||
* In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface" must **not** be checked! | * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface" must **not** be checked! | ||
- | * The iptables rules should be put into "''/mnt/kd/arno-iptables-firewall/custom-rules''" file into the ''FORWARD_CHAIN''. | + | * The iptables rules should be put into ''/mnt/kd/arno-iptables-firewall/custom-rules'' file into the ''FORWARD_CHAIN''. |
* Because the limited users have still access to the Astlinux server itself, you could either | * Because the limited users have still access to the Astlinux server itself, you could either | ||
- | * create a Firewall rule like "''Deny LAN->Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535''" for each of the limited virtual subnets | + | * create a Firewall rule like ''Deny LAN->Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535'' for each of the limited virtual subnets |
- | * or create another iptables rule: "''iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP''" for each subnet | + | * or create another iptables rule: ''iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP'' for each subnet |
- | * The easy way is to push the internal LAN route in the OpenVPN server config (//push route 192.168.3.0.255.255.255.0 in this case//). | + | * The easy way is to push the internal LAN route in the OpenVPN server config (//push "route 192.168.3.0.255.255.255.0" in this case//). |
- | * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like "''push "route 192.168.3.200"''", but in this case the "Employees Class" from the example wouldn't work, cause there is no file to include the routing. | + | * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like ''push "route 192.168.3.200"'', but in this case the "Employees Class" from the example wouldn't work, cause there is no file to include the routing. |
=== Examples === | === Examples === | ||
Line 47: | Line 47: | ||
ifconfig-push 10.8.1.1 10.8.1.2 | ifconfig-push 10.8.1.1 10.8.1.2 | ||
- | ;push route 192.168.3.0 255.255.255.0 | + | ;push "route 192.168.3.0 255.255.255.0" |
**/mnt/kd/openvpn/ccd/contractor1** | **/mnt/kd/openvpn/ccd/contractor1** |