Jump to content

OpenVPN Access Control: Difference between revisions

m
Fixes
m (Fixes)
m (Fixes)
Line 4: Line 4:


=Introduction=
=Introduction=
----
 
Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:
Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:


Line 14: Line 14:


=Topology=
=Topology=
----
 
[[File:OpenVPN Topology v1.png|border|center|class=tlt-border]]
[[File:OpenVPN Topology v1.png|border|center|class=tlt-border]]


Line 26: Line 26:


=Generating certificates for an OpenVPN server=
=Generating certificates for an OpenVPN server=
----
 
Navigate to '''System -> Administration -> Certificates'''
Navigate to '''System -> Administration -> Certificates'''


Line 74: Line 74:


=Connecting clients to the OpenVPN server=
=Connecting clients to the OpenVPN server=
----


Navigate to '''Services -> VPN -> OpenVPN'''
Navigate to '''Services -> VPN -> OpenVPN'''
Line 101: Line 100:


=Client to Client LAN network communication=
=Client to Client LAN network communication=
----
==TLS Clients==
==TLS Clients==
----


  1. On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients
  1. On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients
Line 123: Line 120:


==Firewall Zones==
==Firewall Zones==
----


This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
Line 134: Line 130:


==Routes to LAN subnets==
==Routes to LAN subnets==
----


Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets


&emsp; 1. Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.
&emsp; 1. Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.


[[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]]


=Controlling access with firewall=
=Controlling access with firewall=
----


Navigate to '''Network -> Firewall -> Access Control''' and create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
Navigate to '''Network -> Firewall -> Access Control''' and create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks


[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]
[[File:Deny Client3 rule v2.png|none|thumb|alt=|1000x1000px]]
 
 
&emsp;&emsp; 1. Protocol - All protocols
 
&emsp;&emsp; 2. Source zone - OpenVPN
 
&emsp;&emsp; 3. Source IP - OpenVPN remote IP and LAN subnet of client 3
 
&emsp;&emsp; 4. Destination zone - OpenVPN
 
&emsp;&emsp; 5. Destination address - other client OpenVPN remote endpoints and LAN subnets
 
&emsp;&emsp; 6. Action - Deny
 


<ul>
<li>Source interface - OpenVPN</li>
<li>Destination interface - OpenVPN</li>
<li>Source IP - OpenVPN remote IP and LAN subnet of client 3</li>
<li>Destination IP - other client OpenVPN remote endpoints and LAN subnets</li>
<li>Action - Deny</li>
</ul>
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet




=Testing the setup=
=Testing the setup=
----


Client 1 to Client 2
Client 1 to Client 2
Line 233: Line 233:


=See also=
=See also=
----


<ul>
<ul>
Line 248: Line 247:


=External links=
=External links=
----


https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPN
https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPN