I'm trying to configure my OpenVPN server (Ubuntu 16.04) such that clients cannot communicate with any other device except for the OpenVPN server itself. I've tried removing client-to-client from my server config, but this does not stop pings from going through, presumably because the OS is routing packets from tun0 back through the interface. I've tried the solution proposed here, but it had no effect. I'm using ufw to configure my firewall, and tried adding this rule to iptables both directly and in /etc/ufw/before.rules, but nothing changes. I've also investigated using OpenVPN's internal packet filter, but documentation on this feature is sparse. The sample server config states that "to force clients to only see the server, you will also need to appropriately firewall the server's TUN/TAP interface," but it's not clear to me how this can be accomplished using ufw or iptables.
Asked
Active
Viewed 591 times
2
-
1I could be wrong, but this seems pretty straight forward. Apply a default DENY ALL rule on the TUN/TAP interface inbound and then explicitly define inbound rules for which IP addresses / Ports should be reachable. Also see here for what looks to be a duplicate request: https://serverfault.com/questions/542294/openvpn-and-appropriately-firewall-the-tun-interface-iptables – Appleoddity Aug 24 '17 at 03:26
-
I tried to do this, but it didn't work. Can you provide an example iptables rule? – Peter Jarrett Aug 25 '17 at 16:07
-
Consider the following and replace the interface with the proper TUN device: https://serverfault.com/questions/376272/how-to-block-all-incoming-request-through-one-network-interface order the rules right and have the deny at the end. – Appleoddity Aug 26 '17 at 05:46