I need to setup a multi machine VPN with the following characteristics:
- 1 hub (10.170.0.1) which is the base of the VPN
- 20 users (10.170.0.0/16)
- 5 administrators (10.171.0.0/16)
The first part, the hub and the 20 users, are working as I need. In this setup I need to:
- Connect from the hub to every user
- Connect from every user to the hub
- Reject connection between users.
Plain vanilla OpenVPN configuration without using client-to-client.
Now I want to add the 5 administrators with some superpowers of connection. In this new setup I need to:
- Connect from the administrators to the hub.
- Connect from every administrator to every user (perhaps need to eventually restrict certain administrators to certain users).
- Reject connection between users and administrators (except the ones originated from the administrators).
- Reject connection between administrators.
I think that to get this granularity of control I need to enable the client-to-client in the server.conf. When doing this I already have users (170.0.0/16) and administrators (10.171.0.0/16) talking. The problem is that I need to enforce the restrictions above. I'm sure that this should be an iptables problem but I've been trying for more hours that I care to admit and can't make it work. So far my iptables.conf looks like this:
*filter
:INPUT DROP [1000:900000]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 30 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.170.0.0/16 -d 10.170.0.1 -j ACCEPT
-A FORWARD -s 10.170.0.0/16 -d 10.171.0.0/16 -j ACCEPT
-A FORWARD -s 10.170.0.0/16 -d 10.170.0.0/16 -j REJECT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
I think the forwards in the same subnet are the problem... but don't even know where to start.
This could get rather complicated. The "client-to-client" option in OpenVPN simply shortcuts what otherwise can be accomplished with routing, so I would actually not use that at all, as it will give you more control.
When a client connects using OpenVPN, this effectively creates a tunnel with its own, 4-address-wide subnet. The lowest address is the network address, then you have one address each for the two sides and finally the broadcast address. So in that case enabling traffic flow from the administrators to the users, but not the other way around is a simple question of putting a rule like this in place:
-A FORWARD -s 10.170.0.0/16 -d 10.171.0.0 -m state --state NEW,ESTABLISHED, RELATED -j ACCEPT
-A FORWARD -s 10.171.0.0/16 -d 10.170.0.0 -j ACCEPT
This ensures that any traffic from the users back to the admins is only accepted if it is in response to a packet that came the other way. So that fixes that. You may need some routing rules, for this, too, but generally they should be put in place by the OpenVPN daemon automatically. Since you are still not using "client-to-client", admins can't see each other, either.
So far so good. The tricky bit now is to enable connections between some admins, but not others. For this you will probably have to establish pre-determined address allocations for each machine connecting to the VPN, and then put specific firewall rules in place to enable/disable traffic between them (based on the above as a template).