Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
On Wed, Jan 30, 2008 at 09:44:33AM +1100, Andre Kolodochka wrote: > Hi sluggers, > > We have OpenVPN server running internally for employees to access our > network from home. We have a request from a potential client to access > some internal demo systems. They are happy to install and use OpenVPN > client, however I won't be happy giving them the full access to our > network. > > Hence the question. Is it possible to restrict access for certain > users only to specific set of IP addresses? So everyone except this > client will be able to use VPN to access everything on the network as > usual and potential client will be able to access only boxes on those > specific IP addresses? > > Thanks in advance, the relevant lines from teh conf file client-connect /etc/openvpn/sydlxfw01-up.sh client-disconnect /etc/openvpn/sydlxfw01-down.sh I have 1 script and use a sym link to give the above 2 #!/bin/sh NM="$(basename $0)" if [ "$NM" = "sydlxfw01-up.sh" ] then IPACTION="replace" FWACTION="-I" fi if [ $NM = "sydlxfw01-down.sh" ] then IPACTION="delete" FWACTION="-D" fi iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -m state --state NEW -j ACCEPT if [ ${common_name}"." = "client4." ] then iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -j REJECT iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -d 192.168.11.10 -p tcp --dport 22 -j ACCEPT fi exit 0 You need to get the client names which you get from the certificate. you will also need a chain in iptables which is linked to FORWARD where you can add or remove rules - I preferr to do this on a seperate chain than the main one this way you can deny/restrict based on the certificate given out > > -- > Andre Kolodochka > http://www.linkedin.com/in/andrek > https://www.xing.com/profile/Andre_Kolodochka > F: +61-2-9475-4774 | M: +61-408-282-138 > Skype: kolodochka > MSN: [EMAIL PROTECTED] > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- "Part of the facts is understanding we have a problem, and part of the facts is what you're going to do about it." - George W. Bush 04/15/2005 Kirtland, OH signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
[EMAIL PROTECTED] wrote: Quoting Andre Kolodochka <[EMAIL PROTECTED]>: Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? I'm interested in achieving exactly that also within our project. The situation that we have is that our remote support people want to access the server and then go out to individual (possibly windows) workstations on the network. They can do that at the moment by opening vnc on the server and using the remote desktop client to go to the client machines. That is not ideal, but it does work. It would be really handy to be able to run some sort of script on the server to allow this to happen easily. It's really good to here that there is actually so much expertise in this area on the mailing list. I am myself trying to come up with an easy gui interface, maybe in python, just to select all the hosts that would be available in the remote site. Click one and open access. So I am interested in what others are doing here... You could simply use a web page that is dynamically updated (if needed) with info as to what machines are available on the network. Clicking on links could then open a vnc connection using the java applet that vnc comes with. This way, remote staff vpn in to the network - get access to the intranet page with all machines listed (maybe with some sort of authentication) and simply click to open a vnc session to that machine. Without giving it much thought, there are likely to be security issues though -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
Quoting Andre Kolodochka <[EMAIL PROTECTED]>: Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? I'm interested in achieving exactly that also within our project. The situation that we have is that our remote support people want to access the server and then go out to individual (possibly windows) workstations on the network. They can do that at the moment by opening vnc on the server and using the remote desktop client to go to the client machines. That is not ideal, but it does work. It would be really handy to be able to run some sort of script on the server to allow this to happen easily. It's really good to here that there is actually so much expertise in this area on the mailing list. I am myself trying to come up with an easy gui interface, maybe in python, just to select all the hosts that would be available in the remote site. Click one and open access. So I am interested in what others are doing here... Regards David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
A. On Wed, 2008-01-30 at 10:47 +1100, [EMAIL PROTECTED] wrote: > Hi sluggers, > > We have OpenVPN server running internally for employees to > access our > network from home. We have a request from a potential client > to access > some internal demo systems. They are happy to install and use > OpenVPN > client, however I won't be happy giving them the full access > to our > network. > > Hence the question. Is it possible to restrict access for > certain > users only to specific set of IP addresses? So everyone except > this > client will be able to use VPN to access everything on the > network as > usual and potential client will be able to access only boxes > on those > specific IP addresses? > > Thanks in advance, This is quite tricky, not easily answered: 1) openvpn hands out dhcp addresses, not the same one to the same client So you want your employees to access your local network when they get given address 1-to-n, but your customer to not access the network when he gets given 1-to-n. I can concieve of virtual hosts based on port number and an adsl router ... Multiple openvpn sessions based on port numbers ... Saying 'sorry too hard' ... Trusting your customer ... or else what are you doing playing with matches anyway Use a pptp vpn from your 'demo setup' to the customer. You don't care about his security. Cheers James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
On 30/01/2008, at 9:56 AM, Phil Scarratt wrote: What you should be able to do is configure OpenVPN to always assign the client the same IP address (I believe that is documented in OpenVPN sample conf file), then you could use iptables to restrict that client IP address access to the network... That's one way, the other way is learn-address. # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. learn-address /etc/openvpn/learn-script -- Michael Chesterton http://chesterton.id.au/blog/ http://barrang.com.au/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
Andre Kolodochka wrote: Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? What you should be able to do is configure OpenVPN to always assign the client the same IP address (I believe that is documented in OpenVPN sample conf file), then you could use iptables to restrict that client IP address access to the network... Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Restricting access to certain IP addresses with OpenVPN
Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? Thanks in advance, -- Andre Kolodochka http://www.linkedin.com/in/andrek https://www.xing.com/profile/Andre_Kolodochka F: +61-2-9475-4774 | M: +61-408-282-138 Skype: kolodochka MSN: [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html