1

I have a setup where I issue openvpn certificates to clients to redirect their traffic to specific sites. It's important to restrict the sites each client is redirected to.

Each client has the IPs that should be routed in the server in client-configs/config-dir/ like this: push route 123.123.123.123 255.255.255.255.

Clients are given an ovpn file with their keys and configurations to setup on their terminals. The issue is that a client could potentially edit their ovpn file and route more traffic through the VPN even though the new routes are not on the server side configs. This would allow them to access sites that they should not.

Is there a solution to restrict this behavior or maybe another tool I could use?

Notes:

  • OpenVPN server has only one public IP attached and is forwarding traffic.
  • Locking down permissions is not an option because this is a BYOD scenario.
  • Outbound firewall restrictions on the openvpn server is also not an option because each client is routed to a different set of IPs.
rwms
  • 155
  • 1
  • 2
  • 7

1 Answers1

1

You are correct. A client can edit their local ovpn file and tell it to ignore pushed routes, and then configure it to route all traffic to the gateway. I've had to do this a couple of times myself for testing. OpenVPN does not have a way to restrict that.

You have 2 options:

  1. Lock down permissions of the client's OVPN file so they cannot edit it
  2. Implement a firewall rule(s) on the OpenVPN server that prevents outbound traffic except for specific subnets

If you're in a corporate environment, you likely already have mechanisms for controlling permissions on users' computers. The first option could be pretty easy.

If you don't have control of users' permissions to the file, then the firewall rule is the best way to go. You already had to setup rules for the forwarding an masquerading to work (Example: https://askubuntu.com/a/578550/283173). You can insert additional iptables rules to only allow your specific subnets.

Update: Based on your revised notes, it's even more clear that your only option is firewall on the server side. You'll have to really think things through about your outbound filters. What you'll probably have to end up doing is making your own program that intelligently creates firewall rules. If you know each client is getting routed to specific IP's, you could dynamically open up routes in the firewall when the client connects. You can hook into OpenVPN's system when clients connect by using the learn-address directive in the server config, to send details about the client connection into your custom program.

BoomShadow
  • 405
  • 1
  • 4
  • 9
  • I edited my post. Please have a look now. – rwms Feb 16 '18 at 16:41
  • ok. I added to my answer. – BoomShadow Feb 16 '18 at 16:53
  • If two clients are connected at the same time. client1 can access A and B. client2 can access B and C. At that time how can I enforce different rules for each client? How can I stop client1 from being routed to C ? – rwms Feb 17 '18 at 20:22
  • What you're looking for is definitely a custom solution. Again, it sounds like you'll have to make your own firewall system or you could fork OpenVPN and make your custom changes there. For example, VyprVPN uses a custom implementation of OpenVPN. You could do the same, but ship compiled binaries of the VPN client that has the client config built-in. This would prevent people from being able to change it. Either option if a lot of work, but I don't think there's a way around doing that much effort for your custom need. – BoomShadow Feb 18 '18 at 16:07
  • Otherwise, I'd say you'll have to simply trust that most people aren't technical enough to change their clients :) – BoomShadow Feb 18 '18 at 16:07