On 31/07/2020 22:53, Alex K wrote: > > > On Fri, Jul 31, 2020, 08:39 Gert Doering <g...@greenie.muc.de > <mailto:g...@greenie.muc.de>> wrote: > > Hi, > > On Thu, Jul 30, 2020 at 11:33:45PM +0300, Alex K wrote: > > On Wed, Jul 29, 2020, 07:57 Peter Fraser <softwareinfo...@gmail.com > <mailto:softwareinfo...@gmail.com>> wrote: > > > I set up my OpenVPN Server for IT access but now everyone seems to > love > > > and I have to be allowing more and more persons. I wonder, is there a > way > > > to prevent one user from accessing a particular route that is listed > in the > > > global config file. I have only seen how to the opposite, that is, > allow a > > > user access to a route not listed in the global config. Any help > would be > > > greatly appreciated. > > > > > As a simple approach, I would recommend pushing specific routes to > users > > through the ccd file. Each ccd file named according to the common name > of > > the user's cert. > > While this works, it's not a good security measure - the server will not > verify (can not) that the client is using *only* those routes that you > push. > > So if you put "route 1.2.3.4 255.255.255.255" in the client config, > that address will be routed into the VPN as well, in addition to what > the server pushed. > > Indeed. If you have to deal with such users then you may push specific vpn ips > to each user then control access with firewall rules at vpn server statically, > though this approach seems not very much scalable as you have to carefully > manage the firewall and assigned ips. To make it more fun, and still keep it > simple, I would prepare a connect script on server side which according to the > client name it would add/remove firewall rules to allow specific access to the > dynamically assigned vpn ip.
This is basically the whole idea with eurephia [0] ;-) Web page has not been updated in a long while, but the project does still live and should work fine with OpenVPN 2.4 servers when using --compat-names. OpenVPN 2.5 servers support will arrive as soon as I have time to hack more on this project again; or someone sends patches fixing it. Client side is not version dependent at all. [0] <https://www.eurephia.net/> -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users