Access control for resources behind server

Question

I would like to restrict VPN user access to a single LAN. I've been trying to wrap my head around the client-config-dir within the server.conf but can't get it working.

+---------+             +---------+
| client1 |             | client2 |
+---------+             +---------+
           \           /
            +---------+
            | server  | 10.10.1.23
            +---------+
                 |
            +---------+
            |   vpc   | 10.10.0.0/16
            +---------+
                 |
            +---------+
            |  local  | 10.10.0.112
            +---------+

+-------------------------------+
| VPC  |     subnet   | region  |
+------+------------+-----------+
| vpc0 | 10.10.0.0/16 | region0 |
+------+-------------+----------+

With my current openvpn setup I am able to connect to all instances behind the VPC. However I need client1 to only be able to access Machine 10.10.0.112 & client2 only access machine 10.10.0.222. I have been playing around with the ccd directive and iptables but can't wrap my head around it.

My Openvpn server.conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.10.0.2"
push "redirect-gateway def1 bypass-dhcp"
dh none
client-config-dir /etc/openvpn/ccd
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_4nP1zpKP5eaV6jEz.crt
key server_4nP1zpKP5eaV6jEz.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
log-append /home/ubuntu/openvpn.log
status /var/log/openvpn/status.log
verb 3

client1.ovpn

client
proto udp
remote **.**.***.*** 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_4nP1zpKP5eaV6jEz name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

Route table for server netstat -nr

0.0.0.0         10.10.1.1       0.0.0.0         UG        0 0          0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.10.1.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0

IP ROUTE ip route

default via 10.10.1.1 dev eth0 
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1 
10.10.1.0/24 dev eth0  proto kernel  scope link  src 10.10.1.140 

CCD for CLIENT

Need help with the client-config-dir, only want client1 to be able to access10.10.0.112, as of right now can access all LAN machines behind VPN server.

IPTABLE FOR CLIENT

iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.10.0.112 -j ACCEPT

If someone can point me to the right direction, would be much appreciated.

Answer 1

You should assign fixed IPs to the clients. E.g. ccd/client1 might contain:

ifconfig-push 10.8.0.112 255.255.255.0
push "route 10.10.0.112"

This way the client receives a fixed address (10.8.0.112) and a route for the host 10.10.0.112 only. The client can of course override the configuration sent by the server and add some of its own, e.g.:

pull-ignore "ifconfig"
# this will fail
ifconfig 10.8.0.222 255.255.255.0
# this will work
route 10.10.0.0 255.255.0.0

The server will drop all packets coming from client1, which do not have an address of 10.8.0.112 so the ifconfig directive will not work, but this is not security feature, rather a technical limitation. The route directive on the other hand will work as requested.

Therefore you need to add firewall rules on the VPN server:

# Access to DNS server
iptables -A FORWARD -p udp --dport 53 -s 10.8.0.0/24 -d 10.10.0.2 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -s 10.8.0.0/24 -d 10.10.0.2 -j ACCEPT
# Access for client1
iptables -A FORWARD -s 10.8.0.112 -d 10.10.0.112 -j ACCEPT
# Drop everything else
iptables -A FORWARD -s 10.8.0.0/24 -d 10.10.0.0/16 -j DROP