Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: occasionaltable on November 14, 2017, 03:33:12 PM

Title: How to prevent site to site OpenVPN connections from accessing server WAN
Post by: occasionaltable on November 14, 2017, 03:33:12 PM

Hello,

I've got a set of routers that attach to our SME server over the internet via OpenVPN site to site. They all have addresses 10.x.x.x (with local virtual IP of 100.x.x.x), and each Site to Site connection uses a different port.

At the moment each site can access the WAN (i.e. the internet) the main server is connected to through the VPN . I would like to lock it down so that these sites can't access the WAN, and can only access the main server (172.16.0.1), or other computers in the local network (172.16.x.x).

So basically just banning all addresses 10.x.x.x on local network from accessing WAN.

How would I go about this on SME Server, I have read through the page on using the firewall, but couldn't quite see how I might do it as gets more complicated when OpenVPN is involved?

Thanks in advance for any help!

Title: Re: How to prevent site to site OpenVPN connections from accessing server WAN
Post by: janet on November 14, 2017, 11:04:32 PM

occasionaltable

Probably iptables can help, but you wil have to read the iptables docs to work out the rule needed (not a standard setting on SME AFAIK).

Title: Re: How to prevent site to site OpenVPN connections from accessing server WAN
Post by: Daniel B. on November 14, 2017, 11:16:13 PM

You should give some more details about your setup. Yes, clients connected through s2s are masqueraded and allowed to pass through, but SME can't be the default gateway of your clients on the remote site (at best, their default gateway is the routeur which establish the tunnel with SME). So, how does their trafic reach SME in the first place ? Is your concern about bandwidth consumption ?