How to disable openvpn client-to-client option behaviour to achieve client isolation


I have an openvpn interface in server / subnet-mode.
I proved that clients are able to communicate between them using the IP address assigned by the openvpn server.
I want to avoid this: client should be able to talk only with the openvpn server IP, and should never see each-other
I applied firewall rules to the openvpn vtun interface, but these are never matched.

Seems to me that the openvpn “–client-to-client” option is set by defaul t on the openvpn server, so traffic between clients is forwarded internally by the openvpn server, without exposing it to the kernel firewall.

How can I achieve my goal of isolate clients among them, keeping each client able to communicate with the openvpn server and with the hosts behind it?

I think that this is of the gratest interest for security !!!

For vyatta the subnet mode implies no client isolatio:
“•subnet: This topology is compatible with OpenVPN clients on Windows hosts and is the default if topologyis not used. Routing protocols that are configured to use a broadcast-style network are suited to thistopology. However, this topology does not provide client isolation; that is, clients can reach one another.”

Thank you so much for any help about that!

I don’t have an openvpn server to test with, but does the set server topology point-to-point command help you?

Hi tjh,

thank you for your hint, the guess would be correct, but it doesn’t solve all cases.
In fact it works only if the client is not running on Windows.
And we do have many windows clients …

from vyatta docs:
“point-to-point: This topology is not compatible with Windows clients, and routing protocols using a broadcast-style network donot work with this topology. On the other hand, this topology provides client isolation”

There’s a feature enhancement request on Phabricator:

still looking for a solution …


Would a VPN firewall IN rule blocking vpn ip to vpn ip traffic work? You’d have to allow vpn ip to vpn gateway traffic but maybe as the next rule you block anything else vpn to vpn?

I don’t think it would. From the OpenVPN page:

" The –client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.When this option is used, each client will “see” the other clients which are currently connected. Otherwise, each client will only see the server. Don’t use this option if you want to firewall tunnel traffic using custom, per-client rules."

It basically means that openvpn will route it, without Vyos (the Linux kernel) ever really seeing it.

It would seem to me there needs to be a feature requested added like “no-client-to-client” or similar to control this behaviour.

Thanks for the response and clarification! Sorry I missed that finally if the first couple posts. I see it now. That makes a ton of sense and so it definitely would seem vyos would need to create a fix to make client-to-client user determined instead of automatic.

Thnk you for contributions.

in fact it shouldn’t be solved with the topology setting, and it should keep windows client compatibility.

“no-client-to-client” is what I’m looking for:
keep “subnet” topology and let the traffic be allowed/denied by the Vyos firewall (netfilter)

Just another hint:
I found in a post [] an elegant way to deny clent-to-client flows, once the “client-to-client” be disabled:
" iptables -A FORWARD -i tun0 -o tun0 -j DROP"

unfortunately I didn’t find a way to translate this statement in Vyos configure statements …

But Firewall IN/OUT rules should do the job anyway

Should I post a feature/enhancement request? no other ways?


SOLVED!!! (my mistake, sorry!)

  1. The openvpn server on VyOS (1.2.1) doesn’t use the “-client-to-client” option:

> --------------- ps -ax | grep openvpn ---------------
> 90669 ? Ss 1:08 /usr/sbin/openvpn --daemon openvpn-vtun0 --verb 3 --writepid /var/run/ --status /opt/vyatta/etc/openvpn/status/vtun0.status 30 --dev-type tun --dev vtun0 --mode server --tls-server --topology subnet --keepalive 10 60 --local --lport 3367 --ca /config/auth/HB2/VyOS-HB2-01/cacert.pem --cert /config/auth/HB2/VyOS-HB2-01/server.pem --key /config/auth/HB2/VyOS-HB2-01/server.key --dh /config/auth/HB2/VyOS-HB2-01/dh.pem --management /tmp/openvpn-mgmt-intf unix --push dhcp-option DNS --server --client-config-dir /opt/vyatta/etc/openvpn/ccd/vtun0 --persist-tun
> -----------------

  1. All the client-to-client traffic is handled by OS kernel
    (verifyed with tcpdump / monitor traffic interface vtun0)

  2. To avoid inter-client communication I set a firewall ruleset with default action ‘drop’ on vtun0/out accepting only traffic from intended server-side subnets:

set firewall name HB02_fw_out descr ‘Filter packets going to vpn spokes’
set firewall name HB02_fw_out default-action drop
set firewall name HB02_fw_out rule 10 descr ‘Allow traffic from mgmt subnets to vpn Spokes’
set firewall name HB02_fw_out rule 10 source group network-group mgmt-nets
set firewall name HB02_fw_out rule 10 dest address
set firewall name HB02_fw_out rule 10 protocol all
set firewall name HB02_fw_out rule 10 action accept
set interfaces openvpn vtun0 firewall out name HB02_fw_out

Of course I protected accordingly any administrative access to the VyOS box :wink:

That’s all…

Thank you for your support!