Hi…we have vyos setup as a firewall and openvpn server. See attached image and config.
in opennvpn config we have created two separate set of server+client certs and assigned them vtun0 and vtun1 accordingly. Firewall and openvpn is working fine as intended.
Problem: openvpn server tunnels (vtun0 and vtun1) are both listening on “both” RED and BLUE Ethernet IP’s.
we want to bind/restrict:
vtun0 to only listen on BLUE interface (eth0) IP
vtun1 to only listen on RED interface (eth2) IP
The blue network is admin network and vtun0 client certificate should ONLY work on blue interface.
somehow in “openvpn server mode” the local-address, local-host cannot be configured.
So what’s the best way to do it?
Thanks
Raj
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name FIREWALL_IN {
default-action drop
rule 1 {
action accept
description "Establiched Connections"
state {
established enable
related enable
}
}
rule 2 {
action accept
description "PING Incoming"
destination {
address 0.0.0.0/0
}
protocol icmp
source {
address 0.0.0.0/0
}
}
rule 10 {
action accept
description SERVER_1
destination {
address 10.10.1.11
port 80
}
log disable
protocol tcp
}
}
name FIREWALL_OUT {
default-action drop
rule 1 {
action accept
description "Established Connections"
state {
established enable
related enable
}
}
rule 2 {
action accept
description "DNS Outgoing"
destination {
port 53
}
protocol udp
}
rule 3 {
action accept
description "PING Outgoing"
destination {
address 0.0.0.0/0
}
protocol icmp
source {
address 0.0.0.0/0
}
}
rule 400 {
action accept
description "TCP Outgoing"
destination {
address 0.0.0.0/0
}
protocol tcp
source {
address 0.0.0.0/0
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 172.16.2.122/24
description BLUE_MANAGEMENT_INTERFACE
duplex auto
hw-id ba:61:bc:7d:bd:1d
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.10.0.1/16
description GREEN_LAN_INTERFACE
duplex auto
firewall {
out {
name FIREWALL_OUT
}
}
hw-id 7e:a4:1b:76:d3:61
smp_affinity auto
speed auto
}
ethernet eth2 {
address YYY.YYY.YYY.1/24
description RED_PUBLIC_INTERFACE
duplex auto
firewall {
in {
name FIREWALL_IN
}
}
hw-id ca:58:b5:a2:26:33
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
description "BLUE MANAGEMENT VPN"
local-port 1195
mode server
protocol udp
server {
push-route 10.10.0.0/16
subnet 192.168.60.0/24
}
tls {
ca-cert-file /config/admin/auth/ca.crt
cert-file /config/admin/auth/secureadmin-server.crt
dh-file /config/admin/auth/dh2048.pem
key-file /config/admin/auth/secureadmin-server.key
}
}
openvpn vtun1 {
description "RED PUBLIC VPN"
mode server
server {
push-route 10.10.0.0/16
subnet 192.168.70.0/24
}
tls {
ca-cert-file /config/client/auth/ca.crt
cert-file /config/client/auth/remoteclient-server.crt
dh-file /config/client/auth/dh2048.pem
key-file /config/client/auth/remoteclient-server.key
}
}
}
nat {
destination {
rule 10 {
description "DNAT for SERVER_1"
destination {
address YYY.YYY.YYY.YYY
port 80
}
inbound-interface eth2
protocol tcp
translation {
address 10.10.1.11
}
}
}
source {
rule 10 {
description "SNAT SERVER_1"
outbound-interface any
protocol all
source {
address 10.10.1.11
}
translation {
address YYY.YYY.YYY.1
}
}
rule 9999 {
outbound-interface any
protocol all
source {
address 10.10.0.0/16
}
translation {
address masquerade
}
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on vtun1
listen-on vtun2
}
}
ssh {
listen-address 172.16.2.122
port 1024
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address YYY.YYY.YYY.254
host-name vyos
login {
user vyos {
authentication {
encrypted-password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
plaintext-password ""
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ""
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Asia/Kolkata
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "quagga@2:dhcp-relay@1:cluster@1:config-management@1:zone-policy@1:webgui@1:nat@4:qos@1:firewall@5:conntrack-sync@1:system@6:conntrack@1:cron@1:dhcp-server@4:vrrp@1:wanloadbalance@3:webproxy@1:ipsec@4" === */
/* Release version: VyOS 1.1.7 */