Answer the question
In order to leave comments, you need to log in
T
T
Toshua2019-05-13 07:47:20
Toshua, 2019-05-13 07:47:20
How to prevent VPN clients from accessing the Internet, leaving access only from a given ip?
Hello.
Available VPS server with deployed OpenVPN.
How to restrict vpn client access to the Internet using iptables, allowing only from specified ip?
2 answer(s)
@Toshua
@krosh
Perhaps the rule about DNS is superfluous, I don’t remember how OpenVPN works with DNS requests. Try to start without it at all.
D
Denis Bazarnov, 2019-05-13 @Toshua
Good afternoon. Under OpenVPN - you have a separate network / interface, under the public Internet - too. I see two options:
1) Either cancel masquerading for the entire OpenVPN network and set masquerading for a specific ip-address
2) Or play with the OUTPUT chain for the Internet network / interface. Forbid everyone, but allow a specific ip.
K
krosh, 2019-05-13 @krosh
All vpn server traffic goes through the FORWARD chain, filter it there. In this context, it becomes a router, and there is enough material on this topic in the search. Assuming that tun0 is the interface for vpn clients and eth0 is the internet, we can start with the following rules.
iptables -P FORWARD DROP
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -m comment --comment "РАЗРЕШЕНО Установленные соединения" -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -s 192.168.0.100 -p udp -m udp --dport 53 -m comment --comment "РАЗРЕШЕНО DNS/udp для 192.168.0.100" -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -s 192.168.0.100 -m conntrack --ctstate NEW -m comment --comment "РАЗРЕШЕНО Интернет для 192.168.0.100" -j ACCEPTPerhaps the rule about DNS is superfluous, I don’t remember how OpenVPN works with DNS requests. Try to start without it at all.
Similar questions
P
D
U
A
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question