Debian

How to set up UFW blocks on Debian for VPN clients?

Hello friends!

There is a server used as a VPN server to access the benefits of civilization through Europe, this is a VPN that is currently successfully working in the following version:

- Debian 10
- SoftEtherVPN Server (1 hub, everything that is unnecessary is chopped off, the ability to connect from clients is left OpenVPN)
- SoftEtherVPN disables built-in (slow and resource-intensive) NAT and DHCP server functions.
- Instead, DHCP functions are performed by dnsmasq, and VPN clients are hung up on the tap_virtual virtual interface via local bridge: VPN Hub > tap_virtual
- UFW is set as the control shell for iptables, in which it is configured that we have FORWARDING ipv4 and the corresponding packet forwarding rule is entered from eth0 to tap_virtual.

added to /etc/ufw/before.rules and works:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.0.2.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Thus, anyone entering the VPN as a user gets high-speed access to the global network.
vpn clients hang in subnet 10.0.2.0, external interface eth0, respectively, access to the network.

But, there is a task and there is a problem ...
Task: to prohibit VPN clients from using: torrents, accessing certain sites, etc., that is, the task is to protect the server from overload, if some fan of rocking wants to review all the series of the Lord of the Rings in 4K, I download via torrent.

UFW works as it should, you write ufw block, it blocks incoming connections to the server IP, you can block all outgoing connections, but when it comes to blocking outgoing connections to specific ports, for example ufw deny out 443/tcp, this does not work.

What rules I didn’t prescribe for UFW, I don’t understand how to prohibit all VPN users sitting on the 10.0.2.0 subnet from accessing, for example, 443 or 80 or to the protocols and ports used by torrents.

Thanks for the bright ideas!