On Mon, 29 Oct 2012 12:57:23 +0000 Mark Rogers mark@quarella.co.uk allegedly wrote:

On 27 October 2012 18:02, mick mbm@rlogin.net wrote:

...

I had a think about this and then set up a test system to enable someone "on the internet" to connect to another system "on the internet" behind two (or more) NAT routers.

That all looks great, thanks for the effort. I need to find the time to play with it but it looks like a good starting point for me.

I wasn't sure looking through it (I haven't read it in detail yet) whether it dealt with Chris' specific problem of ensuring that anyone who got onto the boat did not thus gain access to his home network?

Yes it does. Because the VPN end point is on a VPS "somewhere out there" and not on his home network (where it could easily be placed). The only connection between the VPS and the home network is an SSH session out to the VPS from the home network. Of course someone on the boat could get out to the VPS if they could compromise the boat system and knew the client VPN passwords (though I didn't use passwords in my example).

For my needs, what I really want is a single server (VPS) with the ability to control which connections can connect to which (and in which direction). Ie I might have 10 "devices" and 10 "users" (ie 20 connections to the VPN/VPS). In general (but I'm sure I'd find an exception!) no two "users" should be able to connect to each other. The "devices" should not be able to connect to anything (again I'm sure I'd find an exception). I'd then be able to control which "users" could connect to which "devices", ideally though something I can easily manage (eg a database). Beyond that basic level I don't really need the ability to control which ports are accessed by which users but again I'm sure I'd quickly find exceptions to that rule. So, is this something I can manage completely at the VPS end? Is it "just" an iptables configuration issue? (I don't have much experience with iptables but really should change that.)

No, it is not just iptables configuration. Take a look at the main openvpn.net "howto" - specifically the section marked: "Configuring client-specific rules and access policies"

Essentially what you do is specify individual client configurations in a specific directory on the server and then refer to those configurations in a server side directive (e.g. "client-config-dir /etc/openvpn/clients/client-1"). Each client is then given a specific (and separate) ip address and route to the VPN end point. The VPN server "pushes" those addresses and routes out to the clients when they connect. You then use iptables rules to forward the appropriate traffic over the tun interface.

This has the advantage that (as you want) no two clients can see each other's networks (unless you want them to and configure the VPN server appropriately)

(For the record, I think I have already come up with exceptions for all of the cases listed above, so think of the above as "defaults" not "fixed in stone" :-)

There are /always/ exceptions...

Cheers

Mick

---------------------------------------------------------------------

blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312

---------------------------------------------------------------------