I have an openvpn interface in server / subnet-mode.
I proved that clients are able to communicate between them using the IP address assigned by the openvpn server.
I want to avoid this: client should be able to talk only with the openvpn server IP, and should never see each-other
I applied firewall rules to the openvpn vtun interface, but these are never matched.
Seems to me that the openvpn “–client-to-client” option is set by defaul t on the openvpn server, so traffic between clients is forwarded internally by the openvpn server, without exposing it to the kernel firewall.
How can I achieve my goal of isolate clients among them, keeping each client able to communicate with the openvpn server and with the hosts behind it?
I think that this is of the gratest interest for security !!!
For vyatta the subnet mode implies no client isolatio:
“•subnet: This topology is compatible with OpenVPN clients on Windows hosts and is the default if topologyis not used. Routing protocols that are configured to use a broadcast-style network are suited to thistopology. However, this topology does not provide client isolation; that is, clients can reach one another.”
Thank you so much for any help about that!