1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to prevent a single client to access a certain subnet in OpenVPN

Discussion in 'Tomato Firmware' started by sunsina, Mar 19, 2014.

  1. sunsina

    sunsina Reformed Router Member

    I made an openvpn tunnel (TUN) on tun21 between my work place ( and a remote user.
    The OpenVPN server is on TomatoShibby AIO-116 ( and its WAN is connected to my workplace internet.

    There are at least three (types) of clients that are supposed to connect to the OpenVPN server which resides in my workplace.

    Just at the begining let's assume every client is one person with static ip address on tun network (
    then I might consider more clients for each type (translates to dynamic IP addresses with different subnets 10.8.t.0/24 t=1,2,3)

    Just assume we have a client for each of the types
    First client has CN (common name) client_remote ( and it resides far away but its internet is forwarded from WorkPlace OpenVpn server (its tun11 address is static

    Second client has CN client_user ( and it also resides far away but its internet it should use it own internet (its tun11 address is static

    Third client has CN client_admin ( and it also resides far away but ints internet must come from workplace (its tun11 address is static

    A the client_admin ,client_user and client_remote .ovpn config file has following options:
    proto tcp-server

    For simplification (since I am going to add more users in those three different categories user,admin and extra) I made following options enabled on the server side (not client custom file):
    push "redirect-gateway def1"
    push "dhcp-option DNS"

    What I want to do is to let following privileges:

    1- client_extra can connect to openvpn server side but not to and the internet most come from workplace ( gw)
    2- client_user can connect to and but not (client_admin) and the internet of client_user most not come from workplace ( gw)[uses its own internet].
    3- client_admin can connect to and and ( but not the internet of client_admin most come from workplace ( gw).

    I have googled a lot and I read that setting client-to-client and bridged mode is not recommended ,
    and setting the firewall setting automatically is not adviced and I have to make own firewall rules.

    But I will get to trouble if any of the groups (admin,users,extra) grows in number, maybe using differnt subnets such as 10.8.0.x,10.8.1.x,10.8.2.x are adviced but in fact I do not know how to setup the iptables or ebtables configuration for every subnet to make that possible.
    So I have iptables firewall setting problem that I could not figure out how to implement.

    And by the way can I put following lines
    push "redirect-gateway def1"
    push "dhcp-option DNS"

    separately in ccd (custom config file) for every client that I want to get internet from workplace!?

    Any help is really appreciated
  2. eibgrad

    eibgrad Addicted to LI Member

    This makes no sense. You're defining a bridged (tap) OpenVPN tunnel on the server (server-bridge), but defining routed (tun) tunnels on the OpenVPN clients (10.8.x.0). These must be consistent between the client and server.
  3. sunsina

    sunsina Reformed Router Member

    Thanks for your reply,
    In my configuration on both server and client sides I did not use TAP device (everything is TUN)

Share This Page