5

I have an OpenVPN server which is already functioning properly and allowing people to work on our servers. There's a new project which requires me to allow access to the network and into one specific server within the network for a group of out-sourced coders. I'd like to allow them to connect only to one development server which resides on the network but also i'd like to know that they are unable to connect to any other servers on the network. Is that possible? How?

That's my server.conf file:

ca ca.crt
cert server.crt
comp-lzo
dev tun
dh dh1024.pem
group nobody
ifconfig-pool-persist ipp.txt
keepalive 10 120
key server.key  # This file should be kept secret
persist-key
persist-tun
port 1194
proto tcp
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "route 10.1.X.0 255.255.255.0"
push "route 192.168.X.0 255.255.255.0"
push "route 192.168.Y.0 255.255.255.0"
server 192.168.Y.0 255.255.255.0
status openvpn-status.log
user nobody
verb 3

What shall I add? Will it affect the users which are already connected? Can it cause any issues to the users which are already connecting to this server?

Itai Ganot
  • 10,644
  • 29
  • 93
  • 146

2 Answers2

5

As MealstroM says, this is possible. The full procedure is well-documented in the relevant section of the OpenVPN HOWTO, but the short summary of the procedure is:

  1. Configure the OpenVPN server to distinguish between the regular users and the "captive" users (those who are to be allowed access only to certain machines) based on the CNs embedded in their respective certificates

  2. Having so made that distinction, configure OpenVPN to allocate VPN addresses from one block of VPN addresses to the regular users, and from another block to the captive users

  3. Having so distinguished between privileged and unprivileged traffic at layer 3, write appropriate iptables rules to permit only the desired traffic from the captive user netblock.

You ask "will it affect the users which are already connected". If you mean in the short term, then yes, as this will require a server restart that will disconnect everyone; if you mean in the longer term, then no, the existing users shouldn't need any reconfiguration or changes. All these changes are server-side.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
2

yes, that possible. You should use peer-to-peer openvpn architecture and use "push routes" on openvpn server.

make sure you dont use "client-to-client" option.

MealstroM
  • 1,517
  • 1
  • 17
  • 32
  • Just doing this with `push "route ..."` isn't hugely secure, since the client can simply add more routes manually. It's the equivalent of sending the remote user a note saying "*please only go to this server over the VPN*". – MadHatter Dec 12 '13 at 10:28
  • You are right. We use iptables to manage access on L3/L2 level. – MealstroM Dec 12 '13 at 10:38
  • As I tried to say above, I think that will work well; but you need to have a way to force a certain set of clients to be assigned certain IP addresses that match with the logic in your `iptables` ruleset, and that's the important bit I think you've missed out. – MadHatter Dec 12 '13 at 10:40
  • Yes, this scheme will work only with client-config-dir with ifconfig-push option per client. – MealstroM Dec 13 '13 at 13:50