How to Setup OpenVPN with 2 instances on the same machine and setup iptables with special rules

1

I have a server with OpenVPN and 2 instances. one instance for my friends and one instance only for me and my family.
the first instance for my friends of tun0 has the ip 192.168.243.0/24.
the second instance for me and my family of tun1 has the ip 192.168.244.0/24.

I'd like to get the following:

the users from .243 are not allowed to get on users which are on .244 and also the users on .243 are not allowed to get access between them

the users from .244 are allowed to get on all users which are on .243 and on .244.

I have the following:

Users from .243 can not access users on .243 (get reject. thats ok!) but they can get access on user on .244 (that not ok). and there is the problem what I can not fix myself.

Users from .244 can access users on .244 and on .243. thats both ok!. this is what i want for .244 users!

This is my config:

iptables save

# Generated by iptables-save v1.4.14 on Tue Feb 14 06:12:35 2017
*nat
:PREROUTING ACCEPT [35:2407]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [9:569]
:POSTROUTING ACCEPT [9:569]
-A POSTROUTING -s 192.168.244.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Feb 14 06:12:35 2017
# Generated by iptables-save v1.4.14 on Tue Feb 14 06:12:35 2017
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [94170:8476388]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12333:12339 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 13289:13290 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22111:22124 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i eth0 -o tun1 -j ACCEPT
-A FORWARD -i tun1 -o eth0 -j ACCEPT
-A FORWARD -d 192.168.243.0/24 -i tun1 -j ACCEPT
-A FORWARD -d 192.168.244.0/24 -i tun1 -j ACCEPT
-A FORWARD -d 192.168.244.0/24 -i tun0 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A FORWARD -j REJECT
COMMIT
# Completed on Tue Feb 14 06:12:35 2017

ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 26:c9:76:7c:d9:d7 brd ff:ff:ff:ff:ff:ff
    inet xxx.xx.xx.xxx/20 brd xxx.xx.xx.xxx scope global eth0
    inet 10.16.0.7/16 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 56:b6:af:4b:b4:0f brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 192.168.243.1/24 brd 192.168.243.255 scope global tun0
5: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 192.168.244.1/24 brd 192.168.244.255 scope global tun1

ip route show

default via xxx.xx.xxx.x dev eth0
10.16.0.0/16 dev eth0  proto kernel  scope link  src 10.16.0.7
xxx.xx.xxx.x/20 dev eth0  proto kernel  scope link  src xxx.xx.xxx.xxx
192.168.243.0/24 dev tun0  proto kernel  scope link  src 192.168.243.1
192.168.244.0/24 dev tun1  proto kernel  scope link  src 192.168.244.1

OpenVPN tun0

port 12338
proto tcp-server
dev tun0
tls-auth ta.key 0
topology subnet
server 192.168.243.0 255.255.255.0
push "route 192.168.244.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-config-dir /home/gabberhead/ccd
group openvpn
keepalive 10 60
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
persist-key
persist-tun
status clients-status.log
log clients.log
verb 3
mute 15

OpenVPN tun1

port 12339
proto tcp-server
dev tun1
tls-auth ta.key 0
topology subnet
server 192.168.244.0 255.255.255.0
push "route 192.168.243.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-config-dir /home/gabberhead/ccd
group openvpn
keepalive 10 60
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
remote-cert-tls client
persist-key
persist-tun
status openvpn-status1.log
log openvpn1.log
verb 3
mute 15

gabberhead

Posted 2017-02-14T14:03:14.523

Reputation: 11

No answers

Asked: 2017-02-14T14:03:14.523

Viewed: 218 times

Active: 2017-02-14T15:04:50.037