Firewalling a /16 OpenVPN network into /24 "subnets"¶
Introduction¶
This page describes how nftables was used to control client-to-client connections between clients at 172.16.x.0 addresses where x was unique for each organisation.
- All clients were allowed to ping the OpenVPN server for diagnostics
- Support staff's computers were allowed to connect to their own organisation's computers and the computers of organisations they support
- All clients in an organisation were allowed to connect to other clients in the same organisation
Related documents¶
- https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/
- https://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/
The solution¶
Illustrative excepts from /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set aurinoco_support {
type ipv4_addr
elements = {
172.16.0.5,
...
}
}
...
set blue.av {
type ipv4_addr
elements = {
172.16.3.1,
...
}
}
...
chain input {
type filter hook input priority 0;
# Drop ICMP echo-request (ping) when greater than one per second
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request counter drop
# Allow all OpenVPN clients to ping the OpenVPN server (for diagnostics)
ip saddr 172.16.0.0/16 ip daddr 172.16.0.1 icmp type echo-reply accept
ip saddr 172.16.0.0/16 ip daddr 172.16.0.1 drop
}
chain forward {
# Drop all packets unless a rule below does differently
type filter hook forward priority 0; policy drop
# Allow traffic from established and related packets
ct state established,related accept
# Drop invalid packets
ct state invalid drop
# Allow loopback traffic
iifname lo accept
# Allow support computers to connect to the clients their users support
...
ip saddr @aurinoco_support ip daddr @blue.av accept
...
# Allow each organisation's computers to connect to others in the same organisation
...
ip saddr @blue.av ip daddr @blue.av accept
...