How to restrict VPN network access to certain IP Range or Hosts for specific VPN client

[data303]

I like to add for the VPN access some policies or firewall rules which should only allow to access a single machine in the network for a given VPN Client / User. How Can I do that?

Lets assume I have a server in my network "192.168.1.100" and a VPN user "server admin". The VPN Client IP Range is "10.8.0.0". Once the user "server admin" is connected via VPN then he should only be able to access this IP address "192.168.1.100" but no other addresses in my network. Any suggestion how this can be configured?

 

[data303]

I started to configure an own client config directory in order to apply for my specific VPN user a specific IP address. So in the "Configuration" the following lines

client-connect /jffs/scripts/ovpn-client-connect.sh
username-as-common-name
client-config-dir /jffs/configs/openvpn/ccd

Via SSH I created the following file "/jffs/configs/openvpn/ccd/myuser.conf" and added the following content:

ifconfig-push 10.8.0.99 255.255.255.0

However when I then login with "myuser" it still gets the standard IP assigned "10.8.0.2" and not the expected "10.8.0.99".
Did I miss anything?

 

[data303]

Ok I solved the problem, the file need to have the same name as my user "/jffs/configs/openvpn/ccd/myuser" without any suffix.

However I need help how to specify the IP firewall rule so that the VPN client IP "10.8.0.99" can only access "192.168.1.100". Any suggestions?

 

[octopus]

Ok I solved the problem, the file need to have the same name as my user "/jffs/configs/openvpn/ccd/myuser" without any suffix.

However I need help how to specify the IP firewall rule so that the VPN client IP "10.8.0.99" can only access "192.168.1.100". Any suggestions?

Static ip for OpenVPN clients

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[data303]

Thank you, yes this helps to assign a static client IP for the specific VPN user.

However I need help how to specify the IP firewall rule so that the VPN client IP "10.8.0.99" can only access "192.168.1.100". Any suggestions how and where this need to be configured?

 

[octopus]

Thank you, yes this helps to assign a static client IP for the specific VPN user.

However I need help how to specify the IP firewall rule so that the VPN client IP "10.8.0.99" can only access "192.168.1.100". Any suggestions how and where this need to be configured?

Sorry, then I misunderstand what you want.

 

[ZebMcKayhan]

However I need help how to specify the IP firewall rule so that the VPN client IP "10.8.0.99" can only access "192.168.1.100". Any suggestions?

Maybe something like:

iptables -I FORWARD -i tun1 -o br0 -s 10.8.0.99 ! -d 192.168.1.100 -j DROP

Replace "tun1" with your vpn iface if needed (or remove "-i tun1" as it's not really needed)

 

[data303]

Maybe something like:

iptables -I FORWARD -i tun1 -o br0 -s 10.8.0.99 ! -d 192.168.1.100 -j DROP

Replace "tun1" with your vpn iface if needed (or remove "-i tun1" as it's not really needed)

Thank you. Can I just add this rule via SSH on the router? Or how has this to be made persistent, means do I need to add it somewhere to a "/jffs/xxxx" script configuration?

 

[ZebMcKayhan]

Thank you. Can I just add this rule via SSH on the router? Or how has this to be made persistent, means do I need to add it somewhere to a "/jffs/xxxx" script configuration?

Test it by just execute it at ssh prompt and see that there are no errors and it does what you want.

Then put it in a firewall-start script to be persistent:

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com