Re: [Openvpn-users] On Access policies

2020-08-27 Thread David Sommerseth 
On 31/07/2020 22:53, Alex K wrote:
> 
> 
> On Fri, Jul 31, 2020, 08:39 Gert Doering  > wrote:
> 
> Hi,
> 
> On Thu, Jul 30, 2020 at 11:33:45PM +0300, Alex K wrote:
> > On Wed, Jul 29, 2020, 07:57 Peter Fraser  > wrote:
> > > I set up my OpenVPN Server for IT access but now everyone seems to 
> love
> > > and I have to be allowing more and more persons. I wonder, is there a 
> way
> > > to prevent one user from accessing a particular route that is listed
> in the
> > > global config file. I have only seen how to the opposite, that is, 
> allow a
> > > user access to a route not listed in the global config. Any help 
> would be
> > > greatly appreciated.
> > >
> > As a simple approach,  I would recommend pushing specific routes to 
> users
> > through the ccd file. Each ccd file named according to the common name 
> of
> > the user's cert.
> 
> While this works, it's not a good security measure - the server will not
> verify (can not) that the client is using *only* those routes that you
> push.
> 
> So if you put "route 1.2.3.4 255.255.255.255" in the client config,
> that address will be routed into the VPN as well, in addition to what
> the server pushed.
> 
> Indeed. If you have to deal with such users then you may push specific vpn ips
> to each user then control access with firewall rules at vpn server statically,
> though this approach seems not very much scalable as you have to carefully
> manage the firewall and assigned ips. To make it more fun, and still keep it
> simple, I would prepare a connect script on server side which according to the
> client name it would add/remove firewall rules to allow specific access to the
> dynamically assigned vpn ip. 

This is basically the whole idea with eurephia [0] ;-)  Web page has not been
updated in a long while, but the project does still live and should work fine
with OpenVPN 2.4 servers when using --compat-names.  OpenVPN 2.5 servers
support will arrive as soon as I have time to hack more on this project again;
or someone sends patches fixing it.  Client side is not version dependent at 
all.

[0] 


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] On Access policies

2020-07-31 Thread Alex K 
On Fri, Jul 31, 2020, 08:39 Gert Doering  wrote:

> Hi,
>
> On Thu, Jul 30, 2020 at 11:33:45PM +0300, Alex K wrote:
> > On Wed, Jul 29, 2020, 07:57 Peter Fraser 
> wrote:
> > > I set up my OpenVPN Server for IT access but now everyone seems to love
> > > and I have to be allowing more and more persons. I wonder, is there a
> way
> > > to prevent one user from accessing a particular route that is listed
> in the
> > > global config file. I have only seen how to the opposite, that is,
> allow a
> > > user access to a route not listed in the global config. Any help would
> be
> > > greatly appreciated.
> > >
> > As a simple approach,  I would recommend pushing specific routes to users
> > through the ccd file. Each ccd file named according to the common name of
> > the user's cert.
>
> While this works, it's not a good security measure - the server will not
> verify (can not) that the client is using *only* those routes that you
> push.
>
> So if you put "route 1.2.3.4 255.255.255.255" in the client config,
> that address will be routed into the VPN as well, in addition to what
> the server pushed.
>
Indeed. If you have to deal with such users then you may push specific vpn
ips to each user then control access with firewall rules at vpn server
statically, though this approach seems not very much scalable as you have
to carefully manage the firewall and assigned ips. To make it more fun, and
still keep it simple, I would prepare a connect script on server side which
according to the client name it would add/remove firewall rules to allow
specific access to the dynamically assigned vpn ip.

>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] On Access policies

2020-07-30 Thread Gert Doering 
Hi,

On Thu, Jul 30, 2020 at 11:33:45PM +0300, Alex K wrote:
> On Wed, Jul 29, 2020, 07:57 Peter Fraser  wrote:
> > I set up my OpenVPN Server for IT access but now everyone seems to love
> > and I have to be allowing more and more persons. I wonder, is there a way
> > to prevent one user from accessing a particular route that is listed in the
> > global config file. I have only seen how to the opposite, that is, allow a
> > user access to a route not listed in the global config. Any help would be
> > greatly appreciated.
> >
> As a simple approach,  I would recommend pushing specific routes to users
> through the ccd file. Each ccd file named according to the common name of
> the user's cert.

While this works, it's not a good security measure - the server will not
verify (can not) that the client is using *only* those routes that you
push.

So if you put "route 1.2.3.4 255.255.255.255" in the client config, 
that address will be routed into the VPN as well, in addition to what
the server pushed.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] On Access policies

2020-07-30 Thread tincanteksup 

Use your imagination ..

Routing is a path to a goal .. there are many paths.

On 31/07/2020 01:44, Joe Patterson wrote:

That's only works as far as you trust your users not to violate policy
(which, generally speaking, you shouldn't).  There's nothing stopping
them from adding "route" statements to their own config files.
Anything you can push, the user can add without it being pushed.
Well, except ifconfig push, which is policed (I believe), and you can
then use those statically provisioned IP addresses in firewall rules.

On Thu, Jul 30, 2020 at 4:36 PM Alex K  wrote:




On Wed, Jul 29, 2020, 07:57 Peter Fraser  wrote:


HI All

I set up my OpenVPN Server for IT access but now everyone seems to love and I 
have to be allowing more and more persons. I wonder, is there a way to prevent 
one user from accessing a particular route that is listed in the global config 
file. I have only seen how to the opposite, that is, allow a user access to a 
route not listed in the global config. Any help would be greatly appreciated.


As a simple approach,  I would recommend pushing specific routes to users 
through the ccd file. Each ccd file named according to the common name of the 
user's cert.






Regards,









___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] On Access policies

2020-07-30 Thread Joe Patterson 
That's only works as far as you trust your users not to violate policy
(which, generally speaking, you shouldn't).  There's nothing stopping
them from adding "route" statements to their own config files.
Anything you can push, the user can add without it being pushed.
Well, except ifconfig push, which is policed (I believe), and you can
then use those statically provisioned IP addresses in firewall rules.

On Thu, Jul 30, 2020 at 4:36 PM Alex K  wrote:
>
>
>
> On Wed, Jul 29, 2020, 07:57 Peter Fraser  wrote:
>>
>> HI All
>>
>> I set up my OpenVPN Server for IT access but now everyone seems to love and 
>> I have to be allowing more and more persons. I wonder, is there a way to 
>> prevent one user from accessing a particular route that is listed in the 
>> global config file. I have only seen how to the opposite, that is, allow a 
>> user access to a route not listed in the global config. Any help would be 
>> greatly appreciated.
>
> As a simple approach,  I would recommend pushing specific routes to users 
> through the ccd file. Each ccd file named according to the common name of the 
> user's cert.
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ___
>> Openvpn-users mailing list
>> Openvpn-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] On Access policies

2020-07-30 Thread Alex K 
On Wed, Jul 29, 2020, 07:57 Peter Fraser  wrote:

> HI All
>
> I set up my OpenVPN Server for IT access but now everyone seems to love
> and I have to be allowing more and more persons. I wonder, is there a way
> to prevent one user from accessing a particular route that is listed in the
> global config file. I have only seen how to the opposite, that is, allow a
> user access to a route not listed in the global config. Any help would be
> greatly appreciated.
>
As a simple approach,  I would recommend pushing specific routes to users
through the ccd file. Each ccd file named according to the common name of
the user's cert.

>
>
>
>
> Regards,
>
>
>
>
>
>
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] On Access policies

2020-07-29 Thread Jan Just Keijser 

Hi,

On 29/07/20 06:55, Peter Fraser wrote:


HI All

I set up my OpenVPN Server for IT access but now everyone seems to 
love and I have to be allowing more and more persons. I wonder, is 
there a way to prevent one user from accessing a particular route that 
is listed in the global config file. I have only seen how to the 
opposite, that is, allow a user access to a route not listed in the 
global config. Any help would be greatly appreciated.



that is possible , but you wouldn't do it with openvpn itself, but with 
some firewall/iptables rules.
If you're running your openvpn server on Linux , for example, you could 
simply do


  iptables -I FOWARD -s  -d  -j DROP

HTH,

JJK

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users