1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Client-specific options and ifconfig-push

Discussion in 'Tomato Firmware' started by Diamantregen, Oct 6, 2010.

  1. Diamantregen

    Diamantregen Networkin' Nut Member

    [VPN]Client-specific options and ifconfig-push

    Hello,

    I have successfully setup a connection between my OpenVPN server (running on Tomato router) and a client. The client now can access all computers of the LAN that is behind the Tomato router.

    But the goal is to allow the client only to access some of those computers, not all. Actually the example on http://www.openvpn.net/index.php/open-source/documentation/howto.html#policy describes that very well. The question is how to set that(e.g. ifconfig-push) in Tomato, maybe in the "Client-specific options"?

    Please help to shed some light on this, thanks :)
     
  2. Diamantregen

    Diamantregen Networkin' Nut Member

  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think you'll want to approach this by adding firewall rules. In the TomatoVPN server settings, set the "Firewall" option to "custom" and add the following to your firewall script:

    Code:
    iptables -t nat -I PREROUTING -p `nvram get vpn_server1_proto | sed 's/-.*$//'` --dport `nvram get vpn_server1_port` -j ACCEPT
    iptables -I INPUT -p `nvram get vpn_server1_proto | sed 's/-.*$//'`--dport `nvram get vpn_server1_port` -j ACCEPT
    iptables -I INPUT -i `nvram get vpn_server1_if`21 -j ACCEPT
    iptables -I FORWARD -i `nvram get vpn_server1_if`21 -j DROP
    iptables -I FORWARD -i `nvram get vpn_server1_if`21 -d <goodip> -j ACCEPT
    iptables -I FORWARD -i `nvram get vpn_server1_if`21 -d <goodip> -j ACCEPT
    iptables -I FORWARD -i `nvram get vpn_server1_if`21 -d <goodip> -j ACCEPT
    iptables -I FORWARD -i `nvram get vpn_server1_if`21 -d <goodip> -j ACCEPT
    replacing <goodip> with the ip addresses of any computers on the server LAN you want available to the VPN clients.
     
  4. Diamantregen

    Diamantregen Networkin' Nut Member

    Hi SgtPepperKSU,

    Thanks for your reply. So I guess TomatoVPN doesn't really support this feature (yet), right? :tongue:

    The firewall approach is a workaround that seems to work per VPN server, but not per client connecting to the VPN server :redface:.

    It would be really great if TomatoVPN could add this feature in the future.

    Thanks!
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, I didn't realize that you wanted different restrictions for different clients.

    If you want to do as that HOWTO suggests, putting the different clients into different VPN subnets, it can't currently be done completely in the GUI. However, you could create a "client-connect" script that adds the ifconfig-push based on the common name that is passed to it. If you want more details on this, let me know.
     
  6. Diamantregen

    Diamantregen Networkin' Nut Member

    Hi SgtPepperKSU,

    Too bad, I just saw your reply now. Sure, it would be interesting to know more about such a script. It could prove useful for everyone being in the same situation. Thanks!
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    client-connect scripts are run whenever a client connects (go figure). They can check the CommonName and add (certain) directives to the config that are specific to that client.

    For example (a completely off-the-cuff, untested example), to do what the HOWTO you linked suggests, but using client-connect rather than CCD (since that's already used for the client-specific options table):

    Code:
    case $common_name in
      sysadmin1)
        echo "ifconfig-push 10.8.1.1 10.8.1.2" >> $1
        ;;
      contractor1)
        echo "ifconfig-push 10.8.2.1 10.8.2.2" >> $1
        ;;
      contractor2)
        echo "ifconfig-push 10.8.2.5 10.8.2.6" >> $1
        ;;
      *)
        exit 1
        ;;
    esac
    exit 0
    
     

Share This Page