I'm running OpenVPN 2.3.7 on CentOS 6. I'm using routing (tun) and have two instance of OpenVPN. On the second instance there are two clients that I'd like to be make visible to each other i.e ping, access ports etc. They are both within the same subnet, so it should be fairly straight forward, they are configured with static addresses through ccd.
I want the two clients to be able to see each other via their OpenVPN LAN IP addresses without enabling client-to-client in the server.conf.
I'm pretty sure it can be done with iptables, which I use as my firewall, although I use CSF, but its a wrapper for iptables.
These are the IPv4 addresses of the clients:
OpenVPN Client #1: 10.8.2.14
OpenVPN Client #2: 10.8.2.17
I need to client #1 to be able to access services running on client 2, and I guess for compatibility client #2 to see client #1 if a response is required.
I have tried several FORWARD chain rules on the OpenVPN server, but I can't get any communication between the two clients. The OpenVPN server can obviously ping both clients, the clients can ping the OpenVPN server gateway, the clients cannot obviously see each other.
Some rules I've already tried and haven't worked:
iptables -A FORWARD -s 10.8.2.14 -d 10.8.2.17 -j ACCEPT
iptables -A FORWARD -s 10.8.2.17 -d 10.8.2.14 -j ACCEPT
I'm looking for help with iptables to get the two clients visible to each other, without enabling client-to-client, see this is a special requirement for two clients and not needed anywhere else.
The alternative is exposing the services on the VPN client through NAT, but I'd rather avoid doing this for security.
Any insight would be helpful!
Thanks,
James
I know this question is old, but just to clarify that to new users that might still be visiting this page:
if you use
client-to-clientyou can't actually use firewall, the server will not even see those packets at all as they never come back out from the OpenVPN server, so, since they are not reaching host layer, you will not be able to use the firewall as it won't be reached and your rules would be useless in that way.I suggest you do the reverse: enable
client-to-clientand then use iptables to block all clients but the two you want to allow to talk to each other.It is easy to set in client config to route a particular ip(even VPN ip) via VPN with netmask as 255.255.255.255. However, the difficulty remains at OpenVPN server if it will route a client-to-client request without client-to-client option.
There is an option "iroute" that allows the server to forward a packet to a client rather than respond to its request. If you are sure the static IP of both clients it will work. Otherwise try using tap device with ipp or ccd setting to make sure the two clients have static VPN ip's, with the iroute settings on them.