S
S
Sergey Bydanov2017-04-17 08:19:39
openvpn
Sergey Bydanov, 2017-04-17 08:19:39

How to ensure access to only one PC behind openvpn?

There is a bunch of devices with an openvpn client (I only know about them that they exist, but I have not seen and will not see them myself). There is an openvpn server on mikrotik 750. At the moment, whoever connects with a valid key (and password) sees the entire network behind the router. Which for some reason does not suit the security guards.
It is necessary that all these devices with their own key (one for all, because there will be hundreds of them) can connect to only one PC. And at the same time, other clients with their keys could see the entire network.
I’ll also clarify: I’m more interested in whether this can all be done using openvpn, or for this you need to configure a firewall. I'm not very familiar with the firewall on Mikrotik.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
Dmitry Alexandrov, 2017-04-17
@sergarcada

rb-750 and "clients ... because there will be hundreds of them" somehow does not fit. The implementation of tick's ovpn wants to leave the best because there is no udp and lzo and the speed will be terrifying, but the pings will be better than on wrt firmware.
Theoretically, you can try the following (not sure if it will work):
1) On the tick, set up the ovpn server in ethernet mode
2) For those who will connect in bulk using 1 key / password, make a single account and distribute addresses from pool1 (for example, 192.168.51.0/24 ) for them. In the firewall, cut any connections (for example, your lan 192.168.50.0/24) except for the one you need up to "one PC" (for example, 192.168.50.100).
3) "Other clients who should see the entire network", make unique accounts for them and manually assign individual ip to each but within a single pool (for example, 192.168.
In any case, the firewall will have to be used, otherwise there will be a hole in the form of the fact that a very smart person will be able to register a route to the LAN subnet and gain access to it. The firewall in ticks is very pleasant and it will not be difficult to figure it out at all (in any case, it is many times easier to figure it out from scratch than iptables).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question