Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
userdoc:openvpn_access [2017/08/10 03:41]
droemel
userdoc:openvpn_access [2017/08/10 03:43] (current)
droemel
Line 10: Line 10:
  
   * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface"​ must **not** be checked!   * In the Firewall config "Allow OpenVPN Server tunnel to xx LAN Interface"​ must **not** be checked!
-  * The iptables rules should be put into "''/​mnt/​kd/​arno-iptables-firewall/​custom-rules''​" ​file into the ''​FORWARD_CHAIN''​.+  * The iptables rules should be put into ''/​mnt/​kd/​arno-iptables-firewall/​custom-rules''​ file into the ''​FORWARD_CHAIN''​.
   * Because the limited users have still access to the Astlinux server itself, you could either   * Because the limited users have still access to the Astlinux server itself, you could either
-    * create a Firewall rule like "''​Deny LAN->​Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535''​" ​for each of the limited virtual subnets +    * create a Firewall rule like ''​Deny LAN->​Local - Proto TCP/UDP - Source 10.8.2.0/24 - Port 0-65535''​ for each of the limited virtual subnets 
-    * or create another iptables rule: "''​iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP''​" ​for each subnet +    * or create another iptables rule: ''​iptables -A INT_INPUT_CHAIN -s 10.8.2.0/24 -j DROP''​ for each subnet 
-  * The easy way is to push the internal LAN route in the OpenVPN server config (//push route 192.168.3.0.255.255.255.0 in this case//). +  * The easy way is to push the internal LAN route in the OpenVPN server config (//​push ​"route 192.168.3.0.255.255.255.0" ​in this case//). 
-  * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like "''​push "route 192.168.3.200"''​", but in this case the "​Employees Class" from the example wouldn'​t work, cause there is no file to include the routing.+  * The more secure way is NOT to push the route in the OpenVPN server config, but instead push only the relevant allowed destinations in the OpenVPN ccd/client file like ''​push "route 192.168.3.200"'',​ but in this case the "​Employees Class" from the example wouldn'​t work, cause there is no file to include the routing.
  
 === Examples === === Examples ===
Line 47: Line 47:
  
   ifconfig-push 10.8.1.1 10.8.1.2   ifconfig-push 10.8.1.1 10.8.1.2
-  ;push route 192.168.3.0 255.255.255.0+  ;push "route 192.168.3.0 255.255.255.0"
  
 **/​mnt/​kd/​openvpn/​ccd/​contractor1** **/​mnt/​kd/​openvpn/​ccd/​contractor1**