I would like to restrict VPN user access to a single LAN. I've been trying to wrap my head around the client-config-dir
within the server.conf but can't get it working.
+---------+ +---------+
| client1 | | client2 |
+---------+ +---------+
\ /
+---------+
| server | 10.10.1.23
+---------+
|
+---------+
| vpc | 10.10.0.0/16
+---------+
|
+---------+
| local | 10.10.0.112
+---------+
+-------------------------------+
| VPC | subnet | region |
+------+------------+-----------+
| vpc0 | 10.10.0.0/16 | region0 |
+------+-------------+----------+
With my current openvpn setup I am able to connect to all instances behind the VPC. However I need client1 to only be able to access Machine 10.10.0.112 & client2 only access machine 10.10.0.222. I have been playing around with the ccd
directive and iptables but can't wrap my head around it.
My Openvpn server.conf
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.10.0.2"
push "redirect-gateway def1 bypass-dhcp"
dh none
client-config-dir /etc/openvpn/ccd
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_4nP1zpKP5eaV6jEz.crt
key server_4nP1zpKP5eaV6jEz.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
log-append /home/ubuntu/openvpn.log
status /var/log/openvpn/status.log
verb 3
client1.ovpn
client
proto udp
remote **.**.***.*** 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_4nP1zpKP5eaV6jEz name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
Route table for server netstat -nr
0.0.0.0 10.10.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
IP ROUTE ip route
default via 10.10.1.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.10.1.0/24 dev eth0 proto kernel scope link src 10.10.1.140
CCD for CLIENT
Need help with the client-config-dir, only want client1 to be able to access10.10.0.112, as of right now can access all LAN machines behind VPN server.
IPTABLE FOR CLIENT
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.10.0.112 -j ACCEPT
If someone can point me to the right direction, would be much appreciated.