OpenVPN: Allow specific clients to reach only a specific LAN behind the OpenVPN-Server

I have an OpenVPN server running on an Ubuntu 18.04 machine and various OpenVPN clients connecting to that server. Some of those clients are routers, each of which has a 192.168.0.0/24 LAN behind it. The other clients are Windows, macOS and iOS devices.

The goal is that specific (Windows, macOS or iOS) clients can only reach a specific LAN (behind a router OpenVPN client). For example, a certain iPhone should only be able to reach LAN_1 via the OpenVPN server, while another iPhone must always be connected to LAN_2 only, etc.

How do I establish that distinction?

I have already created the directory /etc/openvpn/ccd and added text files with the names of the LANs. Since each of these files contains the line iroute 192.168.0.0 255.255.255.0, there is no distinction yet other than the name.

Is it somehow possible to achieve my goal by using client profiles with the exact same names?
Can this access limitation be based on client profiles rather than devices such that a specific iPhone can be connected to LAN_1 as well as LAN_2, depending on which client profile is activated?

openvpn

ci7i2en4

Posted 2019-09-16T11:28:34.157

Reputation: 121

Answers

Each client would connect to your server through their router, so clientA and clientB behind routerX would appear to come from the same place.

I assume you can't use some rules for certain users based on your question. If some design choice means you want to keep the same concept that is in your question then you can assign static IPs to clients in OpenVPN...you could then apply rules to those IPs to be allowed through to your specific VPN.

user1085183

Posted 2019-09-16T11:28:34.157

Reputation:

The OpenVPN server is logging all clients in /var/log/openvpn/ipp.txt that have connected at least once. This ensures that every client gets assigned the same VPN IP address on reconnect that it had the last time. Maybe it is possible, for example, to create a routing from iPhone-10.8.0.6 to router-10.8.0.12, if the iPhone with a given OpenVPN client profile is only allowed to access the LAN behind that router? And if another profile is activated on the same iPhone, then it would get a different VPN IP address from the server that I could then route to another LAN behind another router?! – ci7i2en4 – 2019-09-17T08:57:47.113

Are you suggesting that clientA connects through routerM to routerX to clientJ, but if clientA is going through routerN then clientA can't reach clientJ? If so, you can use rules to assign the IP (either static if it comes from the right router, or else from a pool of dynamic addresses) and then allow certain rules based on where the IP range is. That said, if this is the situation it might be quicker to take a step back and see if you can't configure a much less complex way of doing this. – None – 2019-09-17T09:43:24.117

The networks behind the routers are completely independent of each other and no device from one LAN can reach any devices in another LAN! If OpenVPN client profile A is activated on an iPhone, it should be able to reach all devices in network A (behind the network's router) via the OpenVPN server. If instead client profile B is activated on the same iPhone, then it should be able to only reach all the devices in network B. No connections between network A and B (which both have the address pool 192.168.0.0/24)! – ci7i2en4 – 2019-09-17T10:59:44.513

I found a solution to my problem but I must add that it is far from ideal.

I found out that it is possible to have multiple OpenVPN server instances on a single machine by simply adding multiple server.conf config files to the /etc/openvpn directory. Then, OpenVPN creates a virtual tun interface for every instance, and all that I had to do was choosing a new VPN subnet and port number for every instance.

Now, every router VPN client will connect to a unique subnet (OpenVPN server instance), and every client profile on iPhones, MacBooks, etc. will do the same. Thus, by activating a certain client profile I effectively choose a certain subnet.

ci7i2en4

Posted 2019-09-16T11:28:34.157

Reputation: 121