Restrict/Bind OpenVPN server vtunX to specific interface or how to secure it?


#1

Hi…we have vyos setup as a firewall and openvpn server. See attached image and config.
in opennvpn config we have created two separate set of server+client certs and assigned them vtun0 and vtun1 accordingly. Firewall and openvpn is working fine as intended.

Problem: openvpn server tunnels (vtun0 and vtun1) are both listening on “both” RED and BLUE Ethernet IP’s.
we want to bind/restrict:
vtun0 to only listen on BLUE interface (eth0) IP
vtun1 to only listen on RED interface (eth2) IP

The blue network is admin network and vtun0 client certificate should ONLY work on blue interface.
somehow in “openvpn server mode” the local-address, local-host cannot be configured.

So what’s the best way to do it?
Thanks
Raj

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name FIREWALL_IN {
        default-action drop
        rule 1 {
            action accept
            description "Establiched Connections"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "PING Incoming"
            destination {
                address 0.0.0.0/0
            }
            protocol icmp
            source {
                address 0.0.0.0/0
            }
        }
        rule 10 {
            action accept
            description SERVER_1
            destination {
                address 10.10.1.11
                port 80
            }
            log disable
            protocol tcp
        }
    }
    name FIREWALL_OUT {
        default-action drop
        rule 1 {
            action accept
            description "Established Connections"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "DNS Outgoing"
            destination {
                port 53
            }
            protocol udp
        }
        rule 3 {
            action accept
            description "PING Outgoing"
            destination {
                address 0.0.0.0/0
            }
            protocol icmp
            source {
                address 0.0.0.0/0
            }
        }
        rule 400 {
            action accept
            description "TCP Outgoing"
            destination {
                address 0.0.0.0/0
            }
            protocol tcp
            source {
                address 0.0.0.0/0
            }
        }
    }

    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address 172.16.2.122/24
        description BLUE_MANAGEMENT_INTERFACE
        duplex auto
        hw-id ba:61:bc:7d:bd:1d
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 10.10.0.1/16
        description GREEN_LAN_INTERFACE
        duplex auto
        firewall {
            out {
                name FIREWALL_OUT
            }
        }
        hw-id 7e:a4:1b:76:d3:61
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address YYY.YYY.YYY.1/24
        description RED_PUBLIC_INTERFACE
        duplex auto
        firewall {
            in {
                name FIREWALL_IN
            }
        }
        hw-id ca:58:b5:a2:26:33
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        description "BLUE MANAGEMENT VPN"
        local-port 1195
        mode server
        protocol udp
        server {
            push-route 10.10.0.0/16
            subnet 192.168.60.0/24
        }
        tls {
            ca-cert-file /config/admin/auth/ca.crt
            cert-file /config/admin/auth/secureadmin-server.crt
            dh-file /config/admin/auth/dh2048.pem
            key-file /config/admin/auth/secureadmin-server.key
        }
    }
    openvpn vtun1 {
        description "RED PUBLIC VPN"
        mode server
        server {
            push-route 10.10.0.0/16
            subnet 192.168.70.0/24
        }
        tls {
            ca-cert-file /config/client/auth/ca.crt
            cert-file /config/client/auth/remoteclient-server.crt
            dh-file /config/client/auth/dh2048.pem
            key-file /config/client/auth/remoteclient-server.key
        }
    }
}
nat {
    destination {
        rule 10 {
            description "DNAT for SERVER_1"
            destination {
                address YYY.YYY.YYY.YYY
                port 80
            }
            inbound-interface eth2
            protocol tcp
            translation {
                address 10.10.1.11
            }
        }
    }
    source {
        rule 10 {
            description "SNAT SERVER_1"
            outbound-interface any
            protocol all
            source {
                address 10.10.1.11
            }
            translation {
                address YYY.YYY.YYY.1
            }
        }
        rule 9999 {
            outbound-interface any
            protocol all
            source {
                address 10.10.0.0/16
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on vtun1
            listen-on vtun2
        }
    }
    ssh {
        listen-address 172.16.2.122
        port 1024
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    gateway-address YYY.YYY.YYY.254
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Asia/Kolkata
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "quagga@2:dhcp-relay@1:cluster@1:config-management@1:zone-policy@1:webgui@1:nat@4:qos@1:firewall@5:conntrack-sync@1:system@6:conntrack@1:cron@1:dhcp-server@4:vrrp@1:wanloadbalance@3:webproxy@1:ipsec@4" === */
/* Release version: VyOS 1.1.7 */

#2

Hi,

You can try to restrict access to interfaces by ports 1194/1195

Example, firewall rule to deny traffic with destination port 1194 on interface eth0