I have multiple OpenVPN servers which have clients like slave-1 and slave-2 which have access only to the OpenVPN server itself. I have a dedicated CA server for creating new users to the system. I want to implement support for users like master-1 and master-2 which have access to the slave clients.
I read that, if I enable client-to-client on OpenVPN I can't use firewall, because the client to client networking will be done inside OpenVPN without reaching host layer.
I read that I can create client specific modifications to the server.conf using client-config-dir and certificate common name, but I can't find a way to do the modifications using prefixes like "master-*".
To get started solving this issue I tried to allow all networking between all clients without enabling client-to-client on OpenVPN by running these commands on the OpenVPN server:
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -I FORWARD --src 10.8.0.0/24 --dst 10.8.0.0/24 -j ACCEPT
And these commands on the OpenVPN client:
sudo ip route del 10.8.0.1/32 via 10.8.0.53
sudo ip route add 10.8.0.0/24 via 10.8.0.53 dev tun0
After that the OpenVPN client was still unable to connect to other clients.
