如何限制Openvpn用户只能使用特定网段

如何限制Openvpn用户只能使用特定网段

我在 openvpn 服务器后面有三个段:DMZ(192.168.1.x)、Dev(192.168.2.x)和 PROD(192.168.3.x)。有两组用户:一组可以从 openvpn 连接到所有段,而我想将其他用户限制在 Dev 段。最好的方法是什么?

Openvpn 用户在10.10.11.x网络中被分配了IP地址。

答案1

最好的方法是给每个组自己的 /24 子网或拆分 10.10.11.0/24 并执行一些 iptables 魔法来阻止开发用户。

但我认为,如果您的网络支持,最好的做法是为每个子网添加 vlan 标记。在 openvpn 中为 dev 用户提供自己的 /24,然后设置一些防火墙规则,以仅允许 dev vlan 能够连接到某些其他 lan。

答案2

对于 openvpn 有一个名为的开关--learn-address,可用于生成规则......

在这个脚本中,您基本上要检查 CN 并为 IP 添加/删除 iptables 规则。

从 openvpn MAN 中提取:

  --learn-address cmd
          Run  script  or  shell  command  cmd  to validate client virtual
          addresses or routes.

          cmd will be executed with 3 parameters:

          [1] operation -- "add", "update", or "delete" based  on  whether
          or  not the address is being added to, modified, or deleted from
          OpenVPN's internal routing table.
          [2] address -- The address being learned or unlearned.  This can
          be  an IPv4 address such as "198.162.10.14", an IPv4 subnet such
          as "198.162.10.0/24", or an ethernet MAC address (when --dev tap
          is being used) such as "00:FF:01:02:03:04".
          [3] common name -- The common name on the certificate associated
          with the client linked to this address.  Only present for  "add"
          or "update" operations, not "delete".

          On  "add"  or  "update" methods, if the script returns a failure
          code (non-zero), OpenVPN will reject the address  and  will  not
          modify its internal routing table.

          Normally, the cmd script will use the information provided above
          to set appropriate firewall entries on the  VPN  TUN/TAP  inter‐
          face.  Since OpenVPN provides the association between virtual IP
          or MAC address and the client's authenticated  common  name,  it
          allows  a user-defined script to configure firewall access poli‐
          cies with regard to the client's high-level common name,  rather
          than the low level client virtual addresses.

相关内容