We are using OpenVPN in bridged mode
server-bridge 172.20.20.10 255.255.255.0 172.20.20.100 172.20.20.150 verb 3 key /etc/openvpn/pki/private/xxxx.key ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/issued/xxxx.crt dh /etc/openvpn/pki/dh.pem tls-auth /etc/openvpn/pki/ta.key key-direction 0 keepalive 10 60 persist-key persist-tun proto udp port 1194 dev tap0 status /tmp/openvpn-status.log user nobody group nogroup comp-lzo no ### Push Configurations Below push "block-outside-dns" push "dhcp-option DOMAIN xxx.ltd" push "dhcp-option DNS 172.20.20.4" push "comp-lzo no" ### Extra Configurations Below client-to-client topology subnet
As you can see, we are not using the redirect-gateway option, so clients are not pushed the gateway route. Anyway, this can easily be bypassed by client configuration. How can we use iptables to allow VPN clients to communicate only with local LAN devices (in the 172.20.20.x network)?
I suppose we have to change our iptables rules, which currently are as follow:
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
No comments:
Post a Comment