27
01
25
 2 Comments

Preventing OpenVPN clients from seeing each other

Posted by | Ubuntu | Tagged |

Listing existing rules

sudo docker exec -it dockovpn_dockovpn_1 bash
iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state NEW,ESTABLISHED udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  10.8.0.0/24          anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state ESTABLISHED udp spt:openvpn
ACCEPT     all  --  anywhere             anywhere

Determining the name of tun interface

ifconfig

eth0      Link encap:Ethernet  HWaddr 02:42:AC:12:00:02
          inet addr:172.18.0.2  Bcast:172.18.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20371 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:16753345 (15.9 MiB)  TX bytes:17239533 (16.4 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:538 (538.0 B)  TX bytes:538 (538.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          inet6 addr: fe80::9b9a:3a27:e27:d0a2/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5723 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14642 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:1105878 (1.0 MiB)  TX bytes:15079872 (14.3 MiB)

Adding the rule

iptables -A FORWARD -i tun0 -o tun0 -j REJECT
iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state NEW,ESTABLISHED udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  10.8.0.0/24          anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state ESTABLISHED udp spt:openvpn
ACCEPT     all  --  anywhere             anywhere

But I still can connect to a remote Windows 10 machine with RDP:

Moving REJECT before ACCEPT

sudo docker restart dockovpn_dockovpn_1
sudo docker exec -it dockovpn_dockovpn_1 bash
iptables -I FORWARD 1 -i tun0 -o tun0 -j REJECT
iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state NEW,ESTABLISHED udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  10.8.0.0/24          anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state ESTABLISHED udp spt:openvpn
ACCEPT     all  --  anywhere             anywhere

RDP stopped to connect:

Managing the clients

Listing my clients on the host machine

ll /var/lib/dockovpn/clients/

total 16K
drwxr-xr-x 4 root root 4.0K Jan 27 00:36 ./
drwxr-xr-x 4 root root 4.0K Jan 23 18:18 ../
drwxr-xr-x 2 root root 4.0K Jan 27 00:36 XXXXXXXXXXxARRsABJ9H5URCi4b1vs9p/
drwxr-xr-x 2 root root 4.0K Jan 23 18:18 XXXXXXXXXXgYOgNAjXfOeAX6M7wz4oJX/

Generating the clients:

sudo docker exec dockovpn_dockovpn_1 ./genclient.sh
wget -O client.ovpn http://172.18.0.2:8080

Updating Docker container

Added the rule to scripts\start.sh:

# Replace variables in ovpn config file
sed -i 's/%HOST_TUN_PROTOCOL%/'"$HOST_TUN_PROTOCOL"'/g' /etc/openvpn/server.conf

# Allow ${HOST_TUN_PROTOCOL} traffic on port 1194.
iptables -A INPUT -i $ADAPTER -p ${HOST_TUN_PROTOCOL} -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
iptables -A OUTPUT -o $ADAPTER -p ${HOST_TUN_PROTOCOL} -m state --state ESTABLISHED --sport 1194 -j ACCEPT

# Preventing clients from seeing each other
iptables -A FORWARD -i tun0 -o tun0 -j REJECT
# Allow traffic on the TUN interface.
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT

# Allow forwarding traffic only from the VPN.
iptables -A FORWARD -i tun0 -o $ADAPTER -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $ADAPTER -j MASQUERADE

Rebuild the image:

cd ~/dev/repos/dockovpn/
sudo docker build -t alekslitvinenk/openvpn-isolated .

docker-compose.yml:

version: '3'
services:
  dockovpn:
    image: alekslitvinenk/openvpn-isolated
    cap_add:
        - NET_ADMIN
    ports:
        - 1194:1194/udp # Expose tcp if you defined HOST_TUN_PROTOCOL=tcp
    environment:
        HOST_ADDR: ${HOST_ADDR} 
    volumes:
        - /var/lib/dockovpn:/opt/Dockovpn_data
    restart: always

Run the container:

sudo docker-compose up -d
sudo docker inspect dockovpn_dockovpn_1 | grep IPAddress
wget -O client.ovpn http://172.18.0.2:8080
sudo docker exec -it dockovpn_dockovpn_1 bash
iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state NEW,ESTABLISHED udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  10.8.0.0/24          anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state ESTABLISHED udp spt:openvpn
ACCEPT     all  --  anywhere             anywhere

2 Responses to Preventing OpenVPN clients from seeing each other

  1. dmitriano says:
    January 27, 2025 at 3:09 pm

    How long does it take for an iptables rule to apply?
    https://serverfault.com/questions/196702/how-long-does-it-take-for-an-iptables-rule-to-apply
    iptables rules take effect immediately.

    Reply
  2. dmitriano says:
    January 27, 2025 at 4:32 pm

    Cant run iptables in Dockerfile
    https://stackoverflow.com/questions/71106635/cant-run-iptables-in-dockerfile
    Create a script that will be run on CMD or ENTRYPOINT or manually on container startup and in that script add commands that should affect the current container environment..

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *