How use iptables to block access to local LAN for an openvpn client?
Bo Berglund
bo.berglund at gmail.com
Thu Sep 1 06:57:34 UTC 2022
I am running an OpenVPN server on my Ubuntu server 20.04.4 LTS.
It is used for these purposes:
1) Access the local LAN from remote locations
2) Access the Internet as if the client computer is on my LAN
I created this for myself many years ago to reach my home resources and then it
was expanded for use by my daughter and my brother-in-law both living abroad to
access Swedish geo-blocked media.
Now I want to modify the behaviour of the server based on the connected client
such that when I myself connect the LAN will be accessible for the vpn client,
but when the other family members connect they can only access the Internet via
the tunnel and not reach the LAN.
So I have used an OpenVPN feature named "Client Configuration Dir" (ccd for
short) where one can add extra config for a connecting client based on its
"Common Name".
It is done by creating a file named as the Common Name and containing the extra
client config.
With this I can set the IP address of the connecting client to a specific value
rather than using the pool of addresses normally active.
So now I have this problem (last item to do):
Given that the client gets an address 10.8.113.139 using the ccd config and that
the LAN addresses are 192.168.223.x, how should I set up an iptables entry on
the server that will drop all traffic from this client targeting the LAN?
Will something like this work:
iptables -A PREROUTING -s 10.8.113.139 -d 192.168.223.0/24 -j DROP
I am not very fluent in iptables usage, so I need some help in the correct
syntax of the command to create the filter...
--
Bo Berglund
Developer in Sweden
More information about the ubuntu-users
mailing list