How do I configure my OpenVPN server on my Asus router to allow spacific use by different clients

[kwood30]

I have set up a OpenVPN server on my Asus RT-AX82U router (Firmware version 3.0.0.4.386_45375) and it has automatically generated a Client.opvn file. But how do I now alter this file to allow certain access to my net work? I have a couple of servers, which also contain web services, and some clients I only want to have access to the one server with the web services. And other clients complete access to the whole network. I have tried to and searched for hours, but I cannot seem to find away (that i understand). Any help and advice would be greatly appreciated.

 

[RMerlin]

You can't. The VPN creates a tunnel between the remote end, and your network, beyond that it has no control over who can access what within that network.

In essence, treat a VPN as a way to simulate having that remote client directly plugged into an Ethernet port within your network.

 

[kwood30]

Is there no way of configuring the VPN or client file to only access the one server. Using the server IP address?

 

[L&LD]

You can only do that by having the Server run the OpenVPN server and not your router.

 

[eibgrad]

I don't know if this is what you're looking for, but if you configure the OpenVPN server to assign specific IPs on the tunnel to specific OpenVPN clients, you could then uniquely identify those clients and create firewall rules that limit access to specific target resources.

For example, if the OpenVPN server is using 10.8.0.0/24, and a client has been assigned 10.8.0.2, and the remote network is 192.168.1.0/24, and that client should only have access to 192.168.1.100 …

iptables -I FORWARD -s 10.8.0.2 ! -d 192.168.1.100 -j REJECT

Assigning specific IPs on the tunnel requires using a CCD (client-config-dir) directive that points to a folder containing files based on the common-name of the cert used by the given client. Within those files you would specify the ifconfig-push directive to assign the preferred IP. But that assumes every client is being assigned its own unique certs and keys, which isn't the case by default. Alternatively, you can require username/passwords (which most ppl do anyway) and use the username-as-common-name directive, which tells OpenVPN server to use the username instead to distinguish clients.

P.S. I just realized you're using oem/stock firmware, which will probably make the above impossible to implement, particularly the firewall rules. But at least w/ the right router and firmware (e.g., Merlin), it is possible.

 

[kwood30]

Thank you all for your responses.