OpenVPN client to client traffic

B

bsdfiend

Hello there,

Any ideas as to why clients are able to communicate with each other even though client-to-client is NOT enabled? Following are my /etc/pf.conf and /usr/local/etc/openvpn/server.conf.

Any help would be very much appreciated!

pf.conf:
Code: 
ext_if="re0"
vpn_if="tun0"
vpn_net="{10.1.1.0/24}"
set skip on lo
nat on $ext_if from 10.1.1.0/24 to any -> $ext_if
# http/s to squid
rdr on $vpn_if proto tcp from any to any port 80 -> 127.0.0.1 port 3129
rdr on $vpn_if proto tcp from any to any port 443 -> 127.0.0.1 port 3127
block in all
pass in quick proto udp from any to port 1194 keep state label "openvpn"
pass in quick proto tcp from any to port 22 keep state label "ssh"
pass out on $ext_if proto { tcp udp icmp } all modulate state
pass quick on $vpn_if
server.conf:
Code: 
management 127.0.0.1 16
management-log-cache 100
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 10.1.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir static-configs
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 60 
tls-auth keys/ta.key 0 
cipher BF-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 4
mute 20
 
What makes you think it shouldn't be possible? I see nothing in you configuration that would block that kind of traffic. The only rule that has any meaning to the traffic inside the VPN is a pass quick on $vpn_if. And that allows all traffic, including client to client.
 
I thought since client-to-client wasn't enabled, OpenVPN might automatically configure tun0 in such a way that clients couldn't communicate with one another. Guess I was wrong :)

Could you suggest a PF rule(s) that would accomplish this?
 
I would suggest taking out the NAT if possible. Because that's going to complicate things. A rule like:
Code: 
block in on $vpn_if from $vpn_net to $vpn_net
That should do the trick. But remember NAT happens before any rules are evaluated. So the NAT will have consequences regarding the packet's source address and the above might not work while NAT is active.

Although on second thought it may work as the NAT only happens for packets going out $ext_if. But then again it may not work at all because the client to client traffic never actually leaves the tun0 interface so the PF rules never get evaluated for it. I'm usually not that worried about client to client traffic. If the clients are physically connected to the network, instead of via a VPN, client to client traffic is possible too.
 
From what I remember everything from the clients gets in via the tun0 interface anyways regardless of the client-to-client setting, I could be wrong though. You can check if this is true by listening on the tun0 with tcpdump(8) when the clients have active traffic over the VPN tunnel.
 
Thanks @SirDice and @kpa, I was able to add the following to my pf.conf and it works perfectly. I love PF.

Code: 
user_range ="{10.1.1.100 - 10.1.1.254}"
....
block in quick on $vpn_if from $user_range to $user_range
....
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top