I have an openvpn interface in server / subnet-mode.
I proved that clients are able to communicate between them using the IP address assigned by the openvpn server.
I want to avoid this: client should be able to talk only with the openvpn server IP, and should never see each-other
I applied firewall rules to the openvpn vtun interface, but these are never matched.
Seems to me that the openvpn “–client-to-client” option is set by defaul t on the openvpn server, so traffic between clients is forwarded internally by the openvpn server, without exposing it to the kernel firewall.
How can I achieve my goal of isolate clients among them, keeping each client able to communicate with the openvpn server and with the hosts behind it?
I think that this is of the gratest interest for security !!!
PS
For vyatta the subnet mode implies no client isolatio:
“•subnet: This topology is compatible with OpenVPN clients on Windows hosts and is the default if topologyis not used. Routing protocols that are configured to use a broadcast-style network are suited to thistopology. However, this topology does not provide client isolation; that is, clients can reach one another.”
thank you for your hint, the guess would be correct, but it doesn’t solve all cases.
In fact it works only if the client is not running on Windows.
And we do have many windows clients …
from vyatta docs:
“point-to-point: This topology is not compatible with Windows clients, and routing protocols using a broadcast-style network donot work with this topology. On the other hand, this topology provides client isolation”
Would a VPN firewall IN rule blocking vpn ip to vpn ip traffic work? You’d have to allow vpn ip to vpn gateway traffic but maybe as the next rule you block anything else vpn to vpn?
" The –client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.When this option is used, each client will “see” the other clients which are currently connected. Otherwise, each client will only see the server. Don’t use this option if you want to firewall tunnel traffic using custom, per-client rules."
It basically means that openvpn will route it, without Vyos (the Linux kernel) ever really seeing it.
It would seem to me there needs to be a feature requested added like “no-client-to-client” or similar to control this behaviour.
Thanks for the response and clarification! Sorry I missed that finally if the first couple posts. I see it now. That makes a ton of sense and so it definitely would seem vyos would need to create a fix to make client-to-client user determined instead of automatic.
in fact it shouldn’t be solved with the topology setting, and it should keep windows client compatibility.
“no-client-to-client” is what I’m looking for:
keep “subnet” topology and let the traffic be allowed/denied by the Vyos firewall (netfilter)
Just another hint:
I found in a post [linux - OpenVPN client-to-client - Server Fault] an elegant way to deny clent-to-client flows, once the “client-to-client” be disabled:
" iptables -A FORWARD -i tun0 -o tun0 -j DROP"
unfortunately I didn’t find a way to translate this statement in Vyos configure statements …
But Firewall IN/OUT rules should do the job anyway
Should I post a feature/enhancement request? no other ways?
All the client-to-client traffic is handled by OS kernel
(verifyed with tcpdump / monitor traffic interface vtun0)
To avoid inter-client communication I set a firewall ruleset with default action ‘drop’ on vtun0/out accepting only traffic from intended server-side subnets:
set firewall name HB02_fw_out descr ‘Filter packets going to vpn spokes’
set firewall name HB02_fw_out default-action drop
set firewall name HB02_fw_out rule 10 descr ‘Allow traffic from mgmt subnets to vpn Spokes’
set firewall name HB02_fw_out rule 10 source group network-group mgmt-nets
set firewall name HB02_fw_out rule 10 dest address 10.112.0.0/16
set firewall name HB02_fw_out rule 10 protocol all
set firewall name HB02_fw_out rule 10 action accept
set interfaces openvpn vtun0 firewall out name HB02_fw_out
Of course I protected accordingly any administrative access to the VyOS box