我有一个在Debian盒子上运行的OpenVPN服务器.我想做的是阻止连接到该OpenVPN服务器的客户端之间的所有流量.
服务器的本地IP为10.10.10.1,客户端的IP为10.10.10.2-10.10.10.8.
我尝试使用iptables,但似乎客户端之间的流量永远不会离开tun0所以我无法阻止它.
我能做什么?是否有一些iptables规则可以阻止接口内的流量? (TUN0)
在server.conf中未启用客户端到客户端,但由于某种原因,用户仍然可以相互ping通并相互通信.
解决方法
似乎您在服务器openvpn config中打开了“客户端到客户端”选项.您应该删除它,因为默认情况下openvpn不会路由客户端到客户端的流量.
这是openvpn的man-page中的文本:
@H_404_16@client-to-client
Because the OpenVPN server mode handles multiple clients through a single tun or tap interface,it is effectively a router.
The –client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all
client-origi‐
nating traffic to the TUN/TAP interface.
When this option is used,each client will “see” the other clients which are currently connected. Otherwise,each client will only see the server. Don’t use this option if you want to firewall tunnel traffic using custom,per-client rules.
@H_403_26@