我在 openvpn 服务器后面有三个段:DMZ(192.168.1.x
)、Dev(192.168.2.x
)和 PROD(192.168.3.x
)。有两组用户:一组可以从 openvpn 连接到所有段,而我想将其他用户限制在 Dev 段。最好的方法是什么?
Openvpn 用户在10.10.11.x
网络中被分配了IP地址。
答案1
最好的方法是给每个组自己的 /24 子网或拆分 10.10.11.0/24 并执行一些 iptables 魔法来阻止开发用户。
但我认为,如果您的网络支持,最好的做法是为每个子网添加 vlan 标记。在 openvpn 中为 dev 用户提供自己的 /24,然后设置一些防火墙规则,以仅允许 dev vlan 能够连接到某些其他 lan。
答案2
对于 openvpn 有一个名为的开关--learn-address
,可用于生成规则......
在这个脚本中,您基本上要检查 CN 并为 IP 添加/删除 iptables 规则。
从 openvpn MAN 中提取:
--learn-address cmd
Run script or shell command cmd to validate client virtual
addresses or routes.
cmd will be executed with 3 parameters:
[1] operation -- "add", "update", or "delete" based on whether
or not the address is being added to, modified, or deleted from
OpenVPN's internal routing table.
[2] address -- The address being learned or unlearned. This can
be an IPv4 address such as "198.162.10.14", an IPv4 subnet such
as "198.162.10.0/24", or an ethernet MAC address (when --dev tap
is being used) such as "00:FF:01:02:03:04".
[3] common name -- The common name on the certificate associated
with the client linked to this address. Only present for "add"
or "update" operations, not "delete".
On "add" or "update" methods, if the script returns a failure
code (non-zero), OpenVPN will reject the address and will not
modify its internal routing table.
Normally, the cmd script will use the information provided above
to set appropriate firewall entries on the VPN TUN/TAP inter‐
face. Since OpenVPN provides the association between virtual IP
or MAC address and the client's authenticated common name, it
allows a user-defined script to configure firewall access poli‐
cies with regard to the client's high-level common name, rather
than the low level client virtual addresses.