Nick Howitt wrote:
With the default configs, OpenVPN only routes LAN traffic through the VPN. If you create you own client configuration then anything may happen. I used to use a configurator in another distro and this may have set OpenVPN as the default route but this is not the norm.

I posted a new issue relating to this, I would appreciate if you can take a look and see if you can give me some pointers https://www.clearos.com/clearfoundation/social/community/vpn-always-redirecting-gateway.

(I think I can close this issue)

You may do best to go to the OpenVPN forums for this set up.

I will, thanks

Can I ask if these users also connect directly to your LAN? If they do then at that point they have full access to your LAN and then there may be little point in restricting access when connecting by VPN.

They connect using VPN, my rules are;

$IPTABLES -I FORWARD -s 10.9.0.0/24 -j DROP # Drop all traffic from VPN2 range 

$IPTABLES -I FORWARD -o p4p6 -s 10.9.0.0/24 -d 192.168.5.12 -j ACCEPT # access machine 12 from VPN2 

$IPTABLES -I FORWARD -o p4p6 -s 10.9.0.0/24 -d 192.168.5.17 -j ACCEPT # access machine 17 from VPN2 

This works fine, just need to sort out the certs for VPN2

ClearOS will not be able to generate group based certificates which is what I believe you need but you can use openssl from command line. The certificates must use your ca-cert.pem in /etc/pki/CA.

Also I don't think you need separate conns. You can use the certificates for group based login scripts. I don't think you can limit access to the VPN instance by group unless you generate different CA's and system certificates for each group/each OpenVPN instance.

You may do best to go to the OpenVPN forums for this set up.

Can I ask if these users also connect directly to your LAN? If they do then at that point they have full access to your LAN and then there may be little point in restricting access when connecting by VPN.

If you don't have multiple IP's then that rules out 1-to-1 NAT.

I do have multiple IP's but I wanted to start on a less complex 1 however it seems like i bit more than i can chew on this one so i am just gonna remove the port-forwarding and use local ip over vpn.

What I do want to do is allow different VPN users access to different machines, the way I want to achieve it is by creating multiple VPN instances each with a different ip range and sort the access in custom iptables rules.

It's pretty straight forward to set this up but there is nothing to stop the vpn user to change the port they connect to and be on a different ip range. The only way around this I can see is to create a different cert and key for each vpn instance. The question is would the clearos web portal be able to manage this (add user to specific vpn instance and generate user certs for that instance) if not how would I create them manually (the vpn cert/key for the vpn instance and the user certs)?

If you don't have multiple IP's then that rules out 1-to-1 NAT.

With the default configs, OpenVPN only routes LAN traffic through the VPN. If you create you own client configuration then anything may happen. I used to use a configurator in another distro and this may have set OpenVPN as the default route but this is not the norm.

You can use port forwarding without OpenVPN and use port redirection to contact each machine with a single WAN IP. If you have only a single WAN IP I am not aware how you can selectively route traffic for some ports through the VPN and traffic for others externally.

The options you mentioned being pushed only affect DNS and the default domain. I am not sure that DNS option necessarily worke in Linux either. There is another job you have to run as part of the up script which will do that (/etc/openvpn/update-resolv-conf.sh?).

Forget EXTRALANS for the moment. This only works for extra LAN's or IP's which need tunnelling, but you can't tunnel just some of your WAN IP. This would work if you had multiple WAN IP's or multiple LAN subnets.

No point in going for a tun+ rule unless you can find a way of selectively route certain ports from your WAN IP.

DNS may be the easiest option but you need to find out if you need to run a /etc/openvpn/update-resolv-conf.sh script in your distro. Once you have DNS resolving machineX.example.tld you LAN IP's then you can access them by machine name. This is no harder than setting up individual port forwards.

Form your client, what does your connection log look like (with a default setup)?

I don't understand where the VPN comes into this. You are bypassing OpenVPN by going directly via the WAN.

You are right, don't know what I was thinking.

If you are using 1-to-1 NAT, I presume you use a different IP to access the LAN machines from the one that OpenVPN connects with.

I was running before walking here, lets drop NAT and talk about regular port-forwarding. is there a way to make that I should be able to access through wan ip only when connected via tun+?.

Can you add more routes to the clients.conf covering the WAN IP that you use to connect to your machines? You can probably use the "EXTRALANS" parameter in /etc/clearos/network.conf. This wold force the WAN IP through the tunnel.

I am not sure what to put in EXTRALANS and what exactly it does.

You may then be able to use a POSTROUTING rule to DNAT any WAN_IPort combination to each machine which you can restrict to the incoming tun adaptor with a "-i tun+".

What would this rule look like? (example?)

I also don't see what you are doing with OpenVPN and "ignore-auto-routes=true"/"never-default=true" unless you've told OpenVPN to push all traffic through the VPN manually as it does not normally do that.

I am at a loss on this, my clients.conf file pushed "dhcp-option DNS x.x.x.x", "dhcp-option DOMAIN example.tld" and all the vlans. disabling both dhcp-options still routed all traffic through the vpn (local dns would not resolve) i tried in my local conf file "never-default=true" (removed "ignore-auto-routes=true") and i can access all the lans and rest of traffic is not routed through the vpn.

Have you considered a DNS solution at all, where you give each machine a name in your external DNS provider and to the same to the internal DNS. Then you connect to the machine by name. When connected to OpenVPN, if it uses your internal resolver, you'll connect through OpenVPN, and, if not connected to OpenVPN, it will use the external resolver. Windows 10 is a bit dodgy with this but it can be got round.

I haven't considered this as it seems too much to manage, i add and remove machines constantly (I only use linux so not worried about config for windows)

MANY MANY THANKS for taking the time to reply.

I don't understand where the VPN comes into this. You are bypassing OpenVPN by going directly via the WAN. If you are using 1-to-1 NAT, I presume you use a different IP to access the LAN machines from the one that OpenVPN connects with.

Can you add more routes to the clients.conf covering the WAN IP that you use to connect to your machines? You can probably use the "EXTRALANS" parameter in /etc/clearos/network.conf. This wold force the WAN IP through the tunnel. You may then be able to use a POSTROUTING rule to DNAT any WAN_IPort combination to each machine which you can restrict to the incoming tun adaptor with a "-i tun+".

I've no idea is this is going in the right direction as I don't see what you are trying to achieve as any 1-to-1 NAT rule by port automatically blocks other traffic. I also don't see what you are doing with OpenVPN and "ignore-auto-routes=true"/"never-default=true" unless you've told OpenVPN to push all traffic through the VPN manually as it does not normally do that.

Have you considered a DNS solution at all, where you give each machine a name in your external DNS provider and to the same to the internal DNS. Then you connect to the machine by name. When connected to OpenVPN, if it uses your internal resolver, you'll connect through OpenVPN, and, if not connected to OpenVPN, it will use the external resolver. Windows 10 is a bit dodgy with this but it can be got round.

[edit]
If you want to uniquely use OpenVPN, don't even set an external DNS name for each LAN device. That would neatly sidestep the Win10
bug.
[/edit]